Hello,

My machine has been infected with smithfraud-c.coreservice.

Spybot detects and attempts to remove after scan and after restarting, but no avail.

HJT Log.....

Any expert advice?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:32 PM, on 1/7/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
E:\iTunesHelper.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\winnt\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.22.52:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F3 - REG:win.ini: load=C:\winnt\system32\ssqpn.exe
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\winnt\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\winnt\mrofinu1000512.exe 61A847B5BBF72813329B385373FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [troy44] C:\winnt\troy44.exe
O4 - HKLM\..\Run: [{BB-B0-0C-C6-ZN}] C:\DOCUME~1\Steven1\LOCALS~1\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [ESP] c:\Program Files\Cox\Applications\app\start.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Steven1\Local Settings\Temp\T0CHD001.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195756528468
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://starwarsgalaxies.station.sony.com/images/downloads/DroidInvasion_Version2.4_1280x1024.jpg

--
End of file - 8743 bytes

Hi SavageBites and welcome to Safer Networking Forums :)

Rename HijackThis.exe to Savage.exe and post back a fresh HijackThis log, please.

Hello,

Since my last post I have ran ComboFix.exe.

After having to reinstall my winsoc services, the problems appear to have went away.

But I can not be sure.

New log after renaming HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:34 PM, on 1/10/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\RUNDLL32.EXE
E:\iTunesHelper.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Trend Micro\HijackThis\Savage.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://starwarsgalaxies.station.sony.com/images/downloads/DroidInvasion_Version2.4_1280x1024.jpg

--
End of file - 1338 bytes

Thanks for looking into this.

Hi

First of all, you are supposed to follow instructions and not to run tool on your own.

Have you ignored some HijackThis entries as log is very short?

New Log File.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:40 PM, on 1/12/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\Program Files\Cox\Applications\App\syssvcnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
E:\iTunesHelper.exe
C:\winnt\system32\ctfmon.exe
C:\Program Files\Cox\Applications\app\Console.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Savage.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.22.52:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\winnt\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\winnt\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunesHelper.exe"
O4 - HKLM\..\Run: [troy44] C:\winnt\troy44.exe
O4 - HKLM\..\Run: [ESP] C:\Program Files\Cox\Applications\app\start.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\winnt\web\related.htm
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www3.authentium.com/cssrelease/bin/wizard.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195756528468
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cox High Speed Internet Security Suite System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\Cox\Applications\App\syssvcnt.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\winnt\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\winnt\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://starwarsgalaxies.station.sony.com/images/downloads/DroidInvasion_Version2.4_1280x1024.jpg

--
End of file - 7843 bytes

Hi

Please post back next combofix log (C:\ComboFix.txt) :)

ComboFix Log

Running ComboFix kills my internet connection requiring me to reinstall TCP/IP services.

ComboFix 08-01-09.2 - Steven1 01/16/2008 22:13:03.4 - NTFSx86
Running from: C:\Documents and Settings\Steven1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\winnt\t\

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 22:18 . 08-01-16 22:18 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3b8.dat
2008-01-08 23:21 . 02-09-22 21:37 80,896 -ra------ C:\WINNT\system32\drivers\NVENET.sys
2008-01-08 23:21 . 02-09-22 21:37 1,024 -ra------ C:\WINNT\system32\drivers\jedih2rx.bin
2008-01-08 23:21 . 02-09-22 21:37 122 -ra------ C:\WINNT\system32\drivers\ramsed.bin
2008-01-08 23:21 . 02-09-22 21:37 42 -ra------ C:\WINNT\system32\drivers\jedireg.pat
2008-01-08 20:02 . 00-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-07 21:04 . 08-01-07 21:04 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-07 02:09 . 08-01-07 02:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 02:09 . 08-01-07 02:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-07 00:48 . 08-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Aluria
2008-01-05 02:52 . 08-01-07 20:49 746 --a------ C:\WINNT\wininit.ini
2008-01-05 01:46 . 08-01-05 02:27 <DIR> d-------- C:\Program Files\kernel
2008-01-05 01:44 . 08-01-08 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-01-05 01:44 . 08-01-05 01:44 39,936 --a------ C:\WINNT\17PHolmes1000512.exe
2008-01-05 01:43 . 08-01-07 02:40 <DIR> d-a------ C:\WINNT\system32\mr9
2008-01-05 01:43 . 08-01-05 01:43 <DIR> d-a------ C:\WINNT\system32\ardCo17
2008-01-05 01:43 . 08-01-07 02:40 <DIR> d-a------ C:\WINNT\system32\aj2
2008-01-05 01:43 . 08-01-05 01:43 <DIR> d-------- C:\temp\cEeer12
2008-01-05 01:43 . 08-01-05 01:43 39,936 --a------ C:\WINNT\17PHolmes1239.exe
2008-01-05 01:43 . 08-01-05 01:43 39,936 --a------ C:\WINNT\17PHolmes1000106.exe
2008-01-04 09:34 . 08-01-15 23:06 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-01-04 09:34 . 08-01-04 09:34 1,409 --a------ C:\WINNT\QTFont.for
2007-12-20 22:13 . 07-12-20 22:13 <DIR> d-------- C:\Program Files\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-07 07:09 --------- d-----w C:\Program Files\Lavasoft
2008-01-07 07:07 --------- d-----w C:\Documents and Settings\Steven1\Application Data\Lavasoft
2008-01-07 05:47 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2008-01-07 05:39 --------- d-----w C:\Program Files\Common Files\PestPatrol
2008-01-07 05:25 --------- d-----w C:\Program Files\TurboTax
2008-01-07 05:25 --------- d-----w C:\Program Files\Common Files\Intuit
2008-01-05 07:27 --------- d-----w C:\Program Files\QuickTime
2008-01-05 07:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-05 06:44 --------- d-----w C:\Program Files\Accessories
2007-12-05 03:21 --------- d-----w C:\Program Files\NCH Swift Sound
2007-12-05 03:21 --------- d-----w C:\Documents and Settings\Steven1\Application Data\NCH Swift Sound
2007-12-04 20:19 --------- d-----w C:\Program Files\Yahoo! Games
2007-12-04 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo
2007-12-04 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-11-22 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2003-11-09 23:12 271 ---h--w C:\Program Files\desktop.ini
2003-11-09 23:12 21,952 -c-h--w C:\Program Files\folder.htt
2002-08-27 18:04 58,871 -c--a-w C:\Program Files\viewsonicinstruct_2k.pdf
2000-11-23 05:00 744 -c--a-w C:\Program Files\FILE_ID.DIZ
2000-11-23 05:00 50 -c--a-w C:\Program Files\GM.URL
2000-11-23 05:00 5,039 -c--a-w C:\Program Files\GM.RPT
2000-11-23 05:00 25,454 -c--a-w C:\Program Files\GM.EXE
2000-11-23 05:00 14,305 -c--a-w C:\Program Files\RAWRITE.EXE
2000-11-23 05:00 12,940 -c--a-w C:\Program Files\GM.TXT
2000-11-23 05:00 1,474,560 -c--a-w C:\Program Files\FLOPPY.IMG
2000-11-23 05:00 1,423 -c--a-w C:\Program Files\INSTALL.BAT
.

<pre>
----a-w 62,952 2008-01-08 23:54:13 C:\Program Files\Cox\Applications\App\start .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 C:\WINNT\system32\CTFMON.EXE]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [ ]
"kernel"="C:\Program Files\kernel\kernel.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [ ]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [ ]
"AS00_Gear311T"="C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe" [ ]
"NVCLOCK"="nvclock.dll" [03-04-14 09:59 81920 C:\WINNT\system32\nvclock.dll]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"NvCplDaemon"="C:\winnt\system32\NvCpl.dll" [06-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [06-10-22 12:22 1622016 C:\WINNT\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"NvMediaCenter"="C:\winnt\system32\NvMcTray.dll" [06-10-22 12:22 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"iTunesHelper"="E:\iTunesHelper.exe" [07-07-27 19:14 271672]
"troy44"="C:\winnt\troy44.exe" [ ]
"ESP"="C:\Program Files\Cox\Applications\app\start.exe" [07-05-09 13:40 62952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-08-04 21:24:28]

R3 KodakPPCAM;Kodak EZ200 DIGITAL CAMERA;C:\winnt\system32\DRIVERS\DC31VID.sys [00-07-17 13:04 ]
R3 openhci;Microsoft USB Open Host Controller Driver;C:\winnt\system32\DRIVERS\openhci.sys [03-06-19 14:05 ]
R3 PA7333I;Kodak Webcam Explorer Bulk Mode Device;C:\winnt\system32\DRIVERS\DC31Bulk.sys [00-07-14 09:53 ]
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\winnt\system32\Drivers\ousbehci.sys [07-03-14 11:10 ]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\winnt\system32\AWINDIS5.SYS [02-04-11 17:43 ]
S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;C:\winnt\system32\DRIVERS\wg311tn5.sys [04-03-08 16:12 ]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-16 03:55:05 C:\winnt\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 22:18:34
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-16 22:21:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 03:21:18
ComboFix2.txt 2008-01-09 03:34:27
ComboFix3.txt 2008-01-09 01:11:55
.
2008-01-08 23:52:29 --- E O F ---

Hi

If you have troubles after combofix run with internet, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix#restore)

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINNT\17PHolmes1000512.exe
C:\WINNT\17PHolmes1239.exe
C:\WINNT\17PHolmes1000106.exe
C:\Program Files\Cox\Applications\App\start .exe

Folder::
C:\WINNT\system32\mr9
C:\WINNT\system32\ardCo17
C:\WINNT\system32\aj2
C:\temp\cEeer12
C:\Program Files\kernel

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kernel"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"troy44"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.