Malware? Trojan Problems

I have a service.exe problem. Its showing up "only" in counterspy.. WHich removes it, and it shows back up again on reboot. I've tried to manually delete the service.exe and it just recreates itself instantly. the rest did nothing for me. I've been working on this problem by myself for what seems like 10 hours a day for 5 days now and am at the point of throwing the computer in the trash. All Help will be greatly appreciated.

I've done the scans with Lavasoft, Spybot S&D, Counterspy as well as Microsft Anti.. My norton files are corrupt.. I tried to un-install.. and it didnt work out.. None of the online scanners work due to this problem. I try to download the active-x and get a message from norton that files are missing and it wont run. ZoneLabs antivirius is showing no current problems.

I dont see anything crazy in hijack. Explorer and iexplore.exe are both running full time right at startup sending info to the Internet. Zonealarm is showing all information is being sent to 216.127.82.157:80. I have no idea why other then spyware/malware.

If i try and force iexplore closed via taskmanger.. it just loads itself back up.
I've attached a hijack this log.. I did try and remove some thing that i knew looked wrong.. but i rebooted and back they came.

Anyhelp at this point would be great.. Ive nothing left that i can do, other then to wipe everything and start over. Which I really cant afford to do.. but i cant let my info keep getting sent to this unknown ip.

 

Welcome to MajorGeeks.com!

Let's start by getting Norton off your system. This will cause problems as we try to figure out what is the issue.

http://service1.symantec.com/support/nav.nsf/docid/2001092114452606
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=&seg=

HijackThis is not properly installed. Install HijackThis io C:\Program Files\HJT.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

 

Thank you Much for the quick reply! I appreciate it. Before I read your reply, I found an online scan program from housecall65.trendmicro.com Uses Java, so it didnt mess with the norton problem and the scan was able to run. It found some malware that couldnt be removed in the system32 dir. iefilter.dll.

I then ran the norton fix (thank you). Ran the BitDefender Online Scanner, it found nothing, but i've attached the logs. Ran counterspy again, tried to clean the Lame Rat Rat (service.exe) from the system. Rebooted to safe mode. Followed the checklist. ccleaner first, then mal. software removal (came up empty) Ad-Aware (empty) but just so you know. It did find and remove win32.trojan downloader on June 9th. Ran Spybot again.. It keeps finding wildtangent in the reg. I'm unsure if its being re-added or if spybot is having trouble removing. Couldnt get defender to run in safemode so I researched for service.exe in safemode. It had re-appeared, so i deleted it manually. I searched out the iefilter.dll (this does look like its the problem) created date of 2004 but a modified date of 2003. I changed the name of the iefilter.dll to iefilter.bak. I made a hijacklog in safemode. I've also made a hijack log in normal mode. Anyhelp with these would be appreciated greatly. Also zonealarm loads up very late in the startup order. I assume this might be an issue at some point? I'm unsure how to change it, to make it First so it loads up asap.
I've rebooted and currently the only problem that i see right away is why is zone alarm getting incoming hits from 192.168.1.1 and 192.168.1.104 (is this normal?)


I have not run the other online scan yet. but will right now. Every scan has been taking about 1.5 hrs. Wanted to get my progress thus far posted.

Thanks!

 

OK I've run Panda.. and it did find 4 things.. no offer to remove them. I've attached the log.

 

Download
- Pocket Killbox

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

Thank you! ok I've followed the instructions to the letter.


Here is the new hijack this log.

 

Your HijackThis log is clean. Post your CounterSpy log so that I can see what it is finding.