Summary: Was receiving Service and Controller App error message, once "dont send" was clicked a message notifying me my computer would shutdown in 60 seconds appeared. i used run>shutdown -a to get rid of that, but i'd constantly freeze and be unable to install any of the programs suggested on this forum so i went into safe mode and was able to run them all in safe mode. ive run hjt, mbam, and super anti spyware - it appears the attack was a root kit as super anti removed rootkit.dropper/zorg, and rootkit.dropper/fake. im now able to start my computer in normal mode and no longer get the shutdown message; however, i understand root kits are hard to completely remove and i do have the XP disk and i keep a backup on my e drive of all important files so a reformat wouldnt be a huge ordeal. im looking for advice if it appears i am okay or should move forward with a reformat.
hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:07 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Card Counter 2] C:\Program Files\Card Counter 2\Card Counter 2.55.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "e:\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - e:\Zune\ZuneNss.exe (file missing)

Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

1/11/2009 11:53:54 AM
mbam-log-2009-01-11 (11-53-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 131974
Time elapsed: 2 hour(s), 15 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\All Users.WINDOWS\Application Data\svhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Hi and welcome


I think the infection remains.....


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

** Please Note:
At times ComboFix may appear to stall, please be patient.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Hi Juliet - Thanks for your recommendations.

ComboFix 09-01-17.03 - Nick Eckhart 2009-01-17 18:12:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.788 [GMT -5:00]
Running from: c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Desktop\CF1.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\twain_32
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\twain_32\user.ds
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\twex.exe
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 18:02 . 2009-01-16 18:02 <DIR> d-------- C:\Combo-Fix
2009-01-13 03:04 . 2009-01-13 03:04 118 --a------ c:\windows\system32\MRT.INI
2009-01-11 15:39 . 2009-01-11 15:37 8,576 --a------ c:\windows\system32\drivers\vdrrsglhppet.sys
2009-01-11 11:56 . 2009-01-11 11:56 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-01-11 09:08 . 2009-01-11 09:08 <DIR> d-------- c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\Malwarebytes
2009-01-08 17:48 . 2009-01-08 17:48 <DIR> d-------- c:\program files\New
2009-01-08 17:35 . 2009-01-08 17:35 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 17:35 . 2009-01-08 17:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-08 17:35 . 2009-01-08 17:35 <DIR> d-------- c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\SUPERAntiSpyware.com
2009-01-08 17:33 . 2009-01-11 13:59 <DIR> d-------- c:\program files\Ingue
2009-01-08 17:33 . 2009-01-08 17:33 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-08 17:33 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-08 17:33 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 22:01 . 2009-01-07 22:01 <DIR> d-------- c:\program files\CCleaner
2009-01-05 21:24 . 2009-01-11 14:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-01-03 14:19 . 2009-01-03 14:19 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\1A3A
2009-01-02 18:35 . 2009-01-02 18:35 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\528B
2009-01-02 18:31 . 2009-01-02 18:31 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\3A373
2009-01-02 16:14 . 2009-01-02 16:14 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\2913
2009-01-01 16:27 . 2009-01-16 17:17 <DIR> d--hs---- c:\windows\system32\twain32
2008-12-29 22:18 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-29 22:18 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-29 22:18 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-27 13:02 . 2008-12-27 13:02 0 --ah----- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2008-12-27 13:02 . 2008-12-27 13:02 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2008-12-27 13:01 . 2008-12-27 13:01 0 --ah----- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2008-12-27 12:41 . 2008-12-27 12:41 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-27 12:41 . 2008-12-27 12:41 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-12-27 12:40 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2008-12-27 12:37 . 2008-05-02 08:25 465,920 --------- c:\windows\system32\imapi2fs.dll
2008-12-27 12:37 . 2008-05-02 08:25 465,920 -----c--- c:\windows\system32\dllcache\imapi2fs.dll
2008-12-27 12:37 . 2008-05-02 08:25 317,952 --------- c:\windows\system32\imapi2.dll
2008-12-27 12:37 . 2008-05-02 08:25 317,952 -----c--- c:\windows\system32\dllcache\imapi2.dll
2008-12-27 12:37 . 2008-05-02 05:49 62,976 -----c--- c:\windows\system32\dllcache\cdrom.sys
2008-12-23 20:41 . 2008-12-23 20:41 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\223C3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 16:59 --------- d-----w c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\BearShare
2009-01-11 19:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 19:04 --------- d-----w c:\program files\PokerStars
2009-01-11 19:03 --------- d-----w c:\program files\Pirate Poppers
2009-01-08 22:47 --------- d-----w c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\Viewpoint
2009-01-04 23:58 --------- d-----w c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\tunebite
2008-12-29 23:29 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-17 00:25 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\37103
2008-12-15 01:20 --------- d-----w c:\program files\AIM
2008-12-15 00:26 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\142ED
2008-12-14 20:25 --------- d-----w c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\PlayFirst
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 00:03 --------- d-----w c:\program files\BearShare Applications
2008-12-11 00:03 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\292C0
2008-12-03 13:01 --------- d-----w c:\program files\Java
2008-11-20 23:35 --------- d-----w c:\program files\Winamp
2008-02-23 15:13 256 -c--a-w c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\pool.bin
2007-06-16 13:05 27,320 -c--a-w c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 01:46 13,624 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 01:46 87,360 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 01:46 91,448 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 01:46 21,824 ----a-w c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 01:46 206,136 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 01:46 31,544 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 01:46 40,248 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 21:27 479,232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 21:27 548,864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 21:27 626,688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 16:47 981,170 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 01:46 24,384 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-01-04 684032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2002-08-22 143360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"UMonit"="c:\windows\system32\umonit.exe" [2004-05-11 53248]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2005-05-19 101888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"QuickTime Task"="E:\QTTask.exe" [2008-09-06 413696]
"Zune Launcher"="e:\zune\ZuneLauncher.exe" [2008-12-12 157312]
"nwiz"="nwiz.exe" [2004-10-26 c:\windows\system32\nwiz.exe]
"PCTVOICE"="pctspk.exe" [2002-07-18 c:\windows\system32\pctspk.exe]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bbhrbhyfswm.sys]
@="\??\c:\windows\system32\drivers\bbhrbhyfswm.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jpgpom3z3wa.sys]
@="\??\c:\windows\system32\drivers\jpgpom3z3wa.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"e:\\iTunes.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Zune\\Zune.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2005-06-21 6656]
S4 bbhrbhyfswm.sys;bbhrbhyfswm.sys;\??\c:\windows\system32\drivers\bbhrbhyfswm.sys --> c:\windows\system32\drivers\bbhrbhyfswm.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
HKLM-Run-Card Counter 2 - c:\program files\Card Counter 2\Card Counter 2.55.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\Mozilla\Firefox\Profiles\n2prme7o.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - plugin: c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\Mozilla\Firefox\Profiles\n2prme7o.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Nick Eckhart.SYRACUSE-5UQ14V\Application Data\Mozilla\plugins\npCtxCAOHF425.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: e:\plugins\npqtplugin.dll
FF - plugin: e:\plugins\npqtplugin2.dll
FF - plugin: e:\plugins\npqtplugin3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 18:19:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
UMonit = c:\windows\system32\umonit.exe??p?#?\???8???????p?#?8???x?#?D?US????8???UB?????????????????????????????wx???????????tq??l??????|p??|????m??|C??w????????x?#?B$?|???w???w*?,?x?#????????????????????????????????w????????????tq??????T???????????tq?????????????

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\CSGina.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WudfHost.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-17 18:26:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 23:25:17

Pre-Run: 47,706,923,008 bytes free
Post-Run: 47,780,757,504 bytes free

207 --- E O F --- 2009-01-13 08:04:57

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:17 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iTunes\iTunesHelper.exe
E:\QTTask.exe
C:\Program Files\Apoint\Apntex.exe
E:\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "e:\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6637 bytes

Welcome back


P2P software/programs are a major contributor to infections. I see you have BearShare. Not passing judgment on file-sharing, However will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page (http://p2p.malwareremoval.com/) will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs can also be found
Here (http://www.microsoft.com/windows/ie/community/columns/protection.mspx ) and Here (http://www.internetworldstats.com/articles/art053.htm )

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system.





Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546
Additional info: http://vil.nai.com/vil/content/v_137262.htm
A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application.
If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.
Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the
following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player



Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.



Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:

Select - Show hidden files and folders.

Uncheck- Hide protected operating system files (recommended) option.

Also, make sure there is no checkmark beside Hide file extensions for known file types.

Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal (http://www.virustotal.com/en/indexf.html)

http://i204.photobucket.com/albums/bb106/Juliet702/virustotal2-SWI.png




Click the Browse button and search for the following file: c:\windows\system32\drivers\vdrrsglhppet.sys
Click Open
Then click Send File
Please be patient while the file is scanned.
Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"


Please also have the next two files scanned as well.
c:\windows\system32\drivers\bbhrbhyfswm.sys
c:\windows\system32\drivers\jpgpom3z3wa.sys





NEXT**
Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)




Please download ATF Cleaner by Atribune From Here (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.



Please also give me an update on how the computer is at the moment.

Juliet,

My computer runs pretty well. There isn't any lagging and I can run several programs at the same time. Kapersky came back with nothing so I won't include the blank report here http://forums.spybot.info/images/smilies/tongue.gif

Here is the new HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:10 PM, on 1/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\umonit.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\iTunes\iTunesHelper.exe
E:\QTTask.exe
C:\Program Files\Apoint\Apntex.exe
E:\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Nick Eckhart.SYRACUSE-5UQ14V\Local Settings\temp\jkos-Nick Eckhart\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\umonit.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Zune Launcher] "e:\Zune\ZuneLauncher.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6264 bytes

As far as the VirusScan - 2 of the 3 files could not be found, but here are the results for the one that could:
File vdrrsglhppet.sys received on 01.18.2009 16:00:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 50 and 72 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.18 -
AhnLab-V3 2009.1.15.0 2009.01.17 -
AntiVir 7.9.0.57 2009.01.18 -
Authentium 5.1.0.4 2009.01.17 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.18 -
BitDefender 7.2 2009.01.18 -
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.18 -
Comodo 935 2009.01.18 -
DrWeb 4.44.0.09170 2009.01.18 -
eSafe 7.0.17.0 2009.01.18 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.17 -
F-Secure 8.0.14470.0 2009.01.18 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.18 -
Ikarus T3.1.1.45.0 2009.01.18 -
K7AntiVirus 7.10.594 2009.01.17 -
Kaspersky 7.0.0.125 2009.01.18 -
McAfee 5498 2009.01.17 -
McAfee+Artemis 5498 2009.01.17 -
Microsoft 1.4205 2009.01.18 -
NOD32 3774 2009.01.17 -
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.18 -
PCTools 4.4.2.0 2009.01.18 -
Prevx1 V2 2009.01.18 -
Rising 21.12.62.00 2009.01.18 -
SecureWeb-Gateway 6.7.6 2009.01.18 -
Sophos 4.37.0 2009.01.18 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.18 -
TheHacker 6.3.1.5.222 2009.01.17 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.17 -
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.18 -
Additional information
File size: 8576 bytes
MD5...: d7dbfbc453b645111e6d21142305e80b
SHA1..: e134b78030cfca8dbfd0af144193fc445db86572
SHA256: 0365a5d0d05ebd882978100f0f0f755b43ba256464e335b2f8a2b0dcc4f84487
SHA512: 80d26ec9e58f5f1a7314546e5776bcd1687f6dde63b0c798c2c611e083faf191
4f9518f7873b825192c4b5b4a9e2ec0ac92c51b10571dc51e5dd9ae075d8c9f0
ssdeep: 192:gyg/ycpyDnwYS8McuH8auaRMGW+I929iD0nu5:gZ/VpyDnYH/uWeuh
PEiD..: -
TrID..: File type identification
Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10e56
timedatestamp.....: 0x466916f2 (Fri Jun 08 08:44:34 2007)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0x1050 0x1080 6.31 4d29dbd0afe43be0a601f147ff2baee6
.rdata 0x1500 0x194 0x200 3.12 7e40ffb0e0a2a150c0869a11af5513c7
.data 0x1700 0x225 0x280 2.01 9456ca564508fe29132d6fd3865aaec0
INIT 0x1980 0x20a 0x280 4.39 b30759fccbe2d047557b63d5c8ef4835
.rsrc 0x1c00 0x390 0x400 2.99 87241b17bb1235a94f602c2c4984a980
.reloc 0x2000 0x122 0x180 4.57 363ca49c5554f4652b1bfcef2bed3a67

( 1 imports )
> ntoskrnl.exe: IoDeleteDevice, IofCompleteRequest, PsLookupProcessByProcessId, ObfDereferenceObject, ObOpenObjectByPointer, PsProcessType, SeDeleteAccessState, PsLookupProcessThreadByCid, SeCreateAccessState, _except_handler3, MmGetSystemRoutineAddress, RtlInitUnicodeString, PsGetVersion, MmIsAddressValid, PsThreadType, _local_unwind2, IoCreateDevice, wcsncat, wcsncpy

( 0 exports )

c:\windows\system32\drivers\bbhrbhyfswm.sys
c:\windows\system32\drivers\jpgpom3z3wa.sys
Both files
could not be found.

one more thing - it appears that firefox wont display pages such as espn.com and ebay.com properly - it appears it confuses the frames...i did use ATF Cleaner for Mozilla (everything except saved passwords) - any idea what setting it mightve deleted/changed that would cause the pages to render improperly? this site shows fine so does mozilla.com

Welcome back


Let's do this first


Don't miss or skip this next step, this will remove bad files from quarantine and set a clean restore point.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below
http://www.forospyware.com/images/adv/CF_Cleanup.png




Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
(Description: The WinAmp Agent. This puts a WinAmp icon is your system tray. It is completely unnecessary, and some viruses may hide in this file. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
(Description: Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. If you don't use WinAmp constantly, removing this entry will free up some system resources. )

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

Now reboot your computer to set the registry.



Now for the Firefox issues.....I'm probably not much help here.
What I can post is information found researching


Check Here, Tool > Options > Content Tab　"Load images automatically" option.
If you unchecked it, every images on Web are not displayed.
If it's so, check it.


Disable all add ons in FF and try again. Close FireFox then open again.

http://www.windowsbbs.com/firefox-thunderbird-seamonkey/80474-firefox-only-opening-blank-windows.html

The below is Mozilla forums, might have to register and ask for tech support.
http://forums.mozillazine.org/viewforum.php?f=38



Other then that I think your good to go, good job!




Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates (http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us) and download all the "Critical Updates" for Windows.


Firefox 2.0 (http://www.mozilla.com/en-US/firefox/all-older.html )
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

How to prevent Malware: Created by Miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place. (http://www.spywareinfoforum.com/index.php?showtopic=60955)

Secure My Computer: A Layered Approach (http://www.dslreports.com/faq/8463)

Strong passwords: How to create and use them (http://www.microsoft.com/protect/yourself/password/create.mspx)

Free Antivirus-AntiSpyware-Firewall Software (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Juliet,

Thanks so much for your help. The Firefox issue self corrected when I used my computer later in the day ... very bizarre, but I appreciate the effort in trying to find a solution. You've been extremely helpful and I'm glad that I didn't just assume that I was clear because we found more instances of the root kit through your suggestions. Can you confirm there's nothing further to run and now it's just using the best practices you've provided to protect my computer from future attacks?

Thanks again,
Nick

Can you confirm there's nothing further to run and now it's just using the best practices you've provided to protect my computer from future attacks?

The best advise I can offer since your machine is clean, is to read over the two articles in my prevention tips
How to prevent Malware
Safe Computing Practices

Safe surfing http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Glad we could help. :)

Since this issue appears resolved ... this Topic is closed.