Help with Smitfraud-C.CoreService Removal

N

nitramssirc

New member
I've been having trouble with Smitfraud-C.CoreService. It keeps reinstalling itself after spybot removes it and tells me to post my problem in the forums. I'll attatch my logs in the next 2 posts... thanks
 
Hijack This Log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:10 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\heather\My Documents\F?nts\s?oolsv.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SideACT.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\TEMP\CH86DF.EXE
C:\Program Files\Trend Micro\Client Server Security Agent\pccntupd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {0A2FDC32-6C11-4463-B4C9-1DFAA5C84224} - C:\WINDOWS\System32\vjrbx.dll (file missing)
O2 - BHO: (no name) - {3934EFC2-5621-2DAC-5312-5D00B6CD8BB1} - C:\WINDOWS\system32\ioxzs.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Rqulance] "C:\Documents and Settings\heather\My Documents\F?nts\s?oolsv.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\SideACT.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099074538445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10516 bytes
 
KASPERSKY Log File

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 10, 2008 5:14:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/02/2008
Kaspersky Anti-Virus database records: 556123
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
M:\
Q:\

Scan Statistics:
Total number of scanned objects: 138937
Number of viruses found: 8
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 02:19:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\30691b17b4a1c1daa9ffcaa273c4296c_9192d17a-9a72-4204-823a-85ab53b53cd0 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Brian\Local Settings\Temp\adlinstallwin32.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Adstart.c skipped
C:\Documents and Settings\Brian\Local Settings\Temp\adlinstallwin32.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Adstart.b skipped
C:\Documents and Settings\Brian\Local Settings\Temp\adlinstallwin32.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.Adstart.d skipped
C:\Documents and Settings\Brian\Local Settings\Temp\adlinstallwin32.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Adstart.b skipped
C:\Documents and Settings\Brian\Local Settings\Temp\adlinstallwin32.exe/stream Infected: not-a-virus:AdWare.Win32.Adstart.b skipped
C:\Documents and Settings\Brian\Local Settings\Temp\adlinstallwin32.exe NSIS: infected - 5 skipped
C:\Documents and Settings\heather\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Messenger\purple9876@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Messenger\purple9876@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Messenger\purple9876@hotmail.com\SharingMetadata\Working\database_EAFC_9DB_FC09_A345\dfsr.db Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Messenger\purple9876@hotmail.com\SharingMetadata\Working\database_EAFC_9DB_FC09_A345\fsr.log Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Messenger\purple9876@hotmail.com\SharingMetadata\Working\database_EAFC_9DB_FC09_A345\fsrtmp.log Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Messenger\purple9876@hotmail.com\SharingMetadata\Working\database_EAFC_9DB_FC09_A345\tmp.edb Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Windows Live Contacts\purple9876@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Application Data\Microsoft\Windows Live Contacts\purple9876@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\heather\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\Documents and Settings\heather\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\heather\Local Settings\Temp\wavvsnet.exe Infected: Trojan-Downloader.Win32.Agent.hzr skipped
C:\Documents and Settings\heather\Local Settings\Temp\~DF183D.tmp Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Temp\~DF1909.tmp Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Temp\~DF5291.tmp Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Temp\~DF52B5.tmp Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Temp\~DFFB34.tmp Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Temp\~DFFB3C.tmp Object is locked skipped
C:\Documents and Settings\heather\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\heather\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\heather\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\eeab798ac455dd30a5ef71393a3c24\msxml4-KB927978-enu.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\WINDOWS\bundles\2504041019.exe/WISE0006.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.c skipped
C:\WINDOWS\bundles\2504041019.exe/WISE0007.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\WINDOWS\bundles\2504041019.exe/WISE0007.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped
C:\WINDOWS\bundles\2504041019.exe WiseSFX: infected - 3 skipped
C:\WINDOWS\bundles\2504041019.exe WiseSFXDropper: infected - 3 skipped
C:\WINDOWS\bundles\setup_silent_26221.exe Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{95A55AA8-7E80-4D0C-843D-ACE43CD31AC6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\isapnpp.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\instFindtvmk38megaV2.dll Infected: Trojan-Dropper.Win32.Small.xm skipped
C:\WINDOWS\SYSTEM32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cge skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_738.dat Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, please keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
 
Combo Fix Log

ComboFix 08-02-13.2 - heather 2008-02-13 6:48:35.1 - NTFSx86
Running from: C:\Documents and Settings\heather\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\isapnpp.sys
C:\DOCUME~1\heather\MYDOCU~1\FNTS~1\s?oolsv.exe
C:\Documents and Settings\heather\My Documents\FNTS~1
C:\Documents and Settings\heather\My Documents\FNTS~1\s?oolsv.exe
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\sstem~1\s?stem\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\bundles
C:\WINDOWS\bundles\2504041019.exe
C:\WINDOWS\bundles\bs5-vwqouc.exe
C:\WINDOWS\bundles\CSV7P070.exe
C:\WINDOWS\bundles\james_dh.exe
C:\WINDOWS\bundles\optimizejames.exe
C:\WINDOWS\bundles\setup_silent_26221.exe
C:\WINDOWS\bundles\SSK_B5.EXE
C:\WINDOWS\racle~1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\isapnpp.sys
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ISAPNPP
-------\isapnpp


((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-12 12:42 . 2008-02-12 12:43 <DIR> d-------- C:\Documents and Settings\heather\Application Data\Walgreens
2008-02-12 12:42 . 2008-02-12 12:43 <DIR> d-------- C:\DOCUME~1\heather\APPLIC~1\Walgreens
2008-02-10 14:01 . 2008-02-10 14:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2008-02-10 14:00 . 2008-02-10 14:00 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-10 10:57 . 2008-02-10 10:57 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 10:57 . 2008-02-10 10:57 3,447 --a------ C:\WINDOWS\unins000.dat
2008-02-02 15:07 . 2008-02-02 15:07 <DIR> d-------- C:\Documents and Settings\heather\Application Data\Leadertech
2008-02-02 15:07 . 2008-02-02 15:07 <DIR> d-------- C:\DOCUME~1\heather\APPLIC~1\Leadertech
2008-01-30 15:09 . 2008-01-30 15:09 <DIR> d-------- C:\Documents and Settings\heather\Application Data\Viewpoint
2008-01-30 15:09 . 2008-01-30 15:09 <DIR> d-------- C:\DOCUME~1\heather\APPLIC~1\Viewpoint
2008-01-25 18:21 . 2004-04-13 19:20 929,792 -ra------ C:\WINDOWS\SYSTEM32\PRISME5.dll
2008-01-25 18:21 . 2004-04-13 19:20 15,781 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\mdc8021x.sys
2008-01-25 18:19 . 2008-01-25 19:11 <DIR> d-------- C:\Program Files\2Wire
2008-01-24 19:32 . 2008-01-29 17:17 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-24 19:29 . 2008-01-24 19:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\wnzs6
2008-01-24 19:29 . 2008-01-24 19:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\ni4
2008-01-24 19:29 . 2008-01-24 19:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\etz1
2008-01-24 19:29 . 2008-01-24 19:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\comg7
2008-01-24 19:29 . 2008-01-24 19:29 <DIR> d-------- C:\Temp\gTiis19
2008-01-24 19:29 . 2008-01-24 19:29 <DIR> d-------- C:\Temp\cXzz9
2008-01-24 17:40 . 2008-02-13 07:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-24 17:40 . 2008-01-24 17:40 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-24 17:39 . 2008-01-24 17:39 <DIR> d-------- C:\Program Files\iPod
2008-01-24 17:38 . 2008-01-24 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-01-24 17:36 . 2008-01-24 17:37 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 20:36 --------- d-----w C:\Documents and Settings\heather\Application Data\AdobeUM
2008-02-12 20:36 --------- d-----w C:\DOCUME~1\heather\APPLIC~1\AdobeUM
2008-02-12 18:53 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2008-02-12 01:30 --------- d-----w C:\Program Files\Trend Micro
2008-02-10 17:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 16:58 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-10 16:19 --------- d-----w C:\Documents and Settings\heather\Application Data\uTorrent
2008-02-10 16:19 --------- d-----w C:\DOCUME~1\heather\APPLIC~1\uTorrent
2008-02-02 21:12 --------- d-----w C:\Documents and Settings\heather\Application Data\Sonic
2008-02-02 21:12 --------- d-----w C:\DOCUME~1\heather\APPLIC~1\Sonic
2008-01-26 00:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-28 20:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-28 19:51 --------- d-----w C:\Program Files\Netflix
2007-12-28 04:03 --------- d-----w C:\Documents and Settings\heather\Application Data\Apple Computer
2007-12-28 04:03 --------- d-----w C:\DOCUME~1\heather\APPLIC~1\Apple Computer
2007-12-24 00:51 --------- d-----w C:\Program Files\Red Kawa
2007-12-24 00:51 --------- d-----w C:\Program Files\AviSynth 2.5
2007-12-24 00:07 --------- d-----w C:\Documents and Settings\heather\Application Data\DivX
2007-12-24 00:07 --------- d-----w C:\DOCUME~1\heather\APPLIC~1\DivX
2007-12-23 20:07 --------- d-----w C:\Program Files\DivX
2007-12-23 16:44 --------- d-----w C:\Program Files\uTorrent
2007-12-20 03:52 --------- d-----w C:\Program Files\MSXML 6.0
2007-12-20 02:05 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-12-20 02:03 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-20 02:03 --------- d-----w C:\Program Files\Apple Software Update
2007-12-20 02:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-12-19 18:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Roxio
2007-12-19 18:01 --------- d-----w C:\Documents and Settings\heather\Application Data\Roxio
2007-12-19 18:01 --------- d-----w C:\DOCUME~1\heather\APPLIC~1\Roxio
2007-12-19 17:56 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Roxio
2007-12-19 17:51 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-12-19 17:50 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2007-12-19 17:50 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-12-19 17:49 --------- d-----w C:\Program Files\Roxio
2007-12-19 17:48 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2007-12-19 17:38 --------- d-----w C:\Program Files\Common Files\Research In Motion
2007-12-19 17:37 --------- d-----w C:\Program Files\Research In Motion
2007-12-19 16:09 --------- d-----w C:\Documents and Settings\heather\Application Data\Research In Motion
2007-12-19 16:09 --------- d-----w C:\DOCUME~1\heather\APPLIC~1\Research In Motion
2007-11-04 07:13 95 ----a-w C:\Program Files\dal.lst
2006-11-02 16:29 403 ----a-w C:\Program Files\flt.lst
2006-11-02 16:29 121 ----a-w C:\Program Files\ModMenu.act
2004-06-17 00:46 157,903 ---ha-w C:\Program Files\ACT.GID
2004-06-16 23:58 267,654 ----a-w C:\Program Files\Uninst6.isu
2004-06-16 23:54 32,768 ------w C:\Program Files\Info.dll
2004-06-16 23:54 10,000 ----a-w C:\Program Files\ActInfo.dat
2004-02-19 08:52 4,544 ------w C:\Documents and Settings\Devices\TPDSupportedDevices_ML.bin
2003-10-29 09:47 491,520 ------w C:\Documents and Settings\IMix\mL_Mixer.dll
2003-04-30 19:47 5,877 ----a-w C:\Program Files\readme.txt
2003-04-27 17:10 671,788 ----a-w C:\Program Files\adal.dll
2003-04-27 17:07 45,056 ----a-w C:\Program Files\rcadal.dll
2003-04-24 14:22 5,337,138 ----a-w C:\Program Files\act.exe
2003-04-24 14:21 69,682 ----a-w C:\Program Files\wprep.awf
2003-04-24 14:21 360,499 ----a-w C:\Program Files\actole.dll
2003-04-24 14:20 577,587 ----a-w C:\Program Files\rptsys.dll
2003-04-24 14:19 131,123 ----a-w C:\Program Files\faxreq.dll
2003-04-24 09:23 49,205 ----a-w C:\Program Files\Uninstal.dll
2003-04-24 09:23 483,380 ----a-w C:\Program Files\inetcom.dll
2003-04-24 09:23 41,012 ----a-w C:\Program Files\actinet.ame
2003-04-24 09:23 40,960 ----a-w C:\Program Files\rcpicker.dll
2003-04-24 09:23 352,303 ----a-w C:\Program Files\picker.dll
2003-04-24 09:23 32,768 ----a-w C:\Program Files\rcinetcom.dll
2003-04-24 09:23 28,672 ----a-w C:\Program Files\rcactinet.dll
2003-04-24 09:23 24,576 ----a-w C:\Program Files\rcUninstal.dll
2003-04-24 09:23 16,384 ----a-w C:\Program Files\finis.exe
2003-04-24 09:23 1,216,512 ----a-w C:\Program Files\actsprng.dat
2003-04-24 09:22 90,112 ----a-w C:\Program Files\Act6Intf.dll
2003-04-24 09:22 45,109 ----a-w C:\Program Files\ActEvent.ocx
2003-04-24 09:22 45,107 ----a-w C:\Program Files\ActCmd.dll
2003-04-24 09:22 45,056 ----a-w C:\Program Files\ActTRLog.dll
2003-04-24 09:22 36,364 ----a-w C:\Program Files\ActOle.tlb
2003-04-24 09:22 32,841 ----a-w C:\Program Files\actreg.exe
2003-04-24 09:22 258 ----a-w C:\Program Files\ActCmd.tlb
2003-04-24 09:22 24,576 ----a-w C:\Program Files\rcActOle.dll
2003-04-24 09:21 32,768 ----a-w C:\Program Files\rcactptp.dll
2003-04-24 09:21 278,589 ----a-w C:\Program Files\SideACT.exe
2003-04-24 09:21 143,360 ----a-w C:\Program Files\ActUpdt.exe
2003-04-24 09:21 106,547 ----a-w C:\Program Files\actptp.exe
2003-04-24 09:21 102,400 ----a-w C:\Program Files\rcSideACT.dll
2003-04-24 09:20 90,163 ----a-w C:\Program Files\DrvWd6.wpi
2003-04-24 09:20 36,914 ----a-w C:\Program Files\wprtf.awf
2003-04-24 09:20 348,210 ----a-w C:\Program Files\actwp.wpi
2003-04-24 09:20 28,672 ----a-w C:\Program Files\rcwprep.dll
2003-04-24 09:20 28,672 ----a-w C:\Program Files\rcDrvWd6.wpi
2003-04-24 09:20 28,672 ----a-w C:\Program Files\rcdrvact32.dll
2003-04-24 09:20 24,639 ----a-w C:\Program Files\ActZip.dll
2003-04-24 09:20 24,576 ----a-w C:\Program Files\rcwptxt.dll
2003-04-24 09:20 24,576 ----a-w C:\Program Files\rcwprtf.dll
2003-04-24 09:20 24,576 ----a-w C:\Program Files\rcwpbmp.dll
2003-04-24 09:20 24,576 ----a-w C:\Program Files\rcActZip.dll
2003-04-24 09:20 200,757 ----a-w C:\Program Files\drvact32.dll
2003-04-24 09:20 20,530 ----a-w C:\Program Files\wptxt.awf
2003-04-24 09:20 20,530 ----a-w C:\Program Files\wpbmp.awf
2003-04-24 09:18 86,016 ----a-w C:\Program Files\rcactwp.wpi
2003-04-24 09:17 65,587 ----a-w C:\Program Files\palmin.flt
2003-04-24 09:17 24,576 ----a-w C:\Program Files\rcpalmin.dll
2003-04-24 09:17 233,520 ----a-w C:\Program Files\ace.flt
2003-04-24 09:16 41,013 ----a-w C:\Program Files\ccxexprt.flt
2003-04-24 09:16 36,911 ----a-w C:\Program Files\qa.flt
2003-04-24 09:16 36,864 ----a-w C:\Program Files\rcNEWTON.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A2FDC32-6C11-4463-B4C9-1DFAA5C84224}]
C:\WINDOWS\System32\vjrbx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3934EFC2-5621-2DAC-5312-5D00B6CD8BB1}]
C:\WINDOWS\system32\ioxzs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-24 07:13 68856]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"Rqulance"="C:\Documents and Settings\heather\My Documents\F?nts\s?oolsv.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-26 12:01 921600 C:\WINDOWS\SYSTEM32\nwiz.exe]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2007-03-29 07:10 394952]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-10-26 12:01 4632576]
"PRISMSVR.EXE"="C:\WINDOWS\system32\PRISMSVR.exe" [ ]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 22:37:56 217194]
SideACT!.lnk - C:\Program Files\SideACT.exe [2004-06-16 17:54:47 278589]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^heather^Start Menu^Programs^Startup^BlackBerry Desktop Redirector.lnk]
path=C:\Documents and Settings\heather\Start Menu\Programs\Startup\BlackBerry Desktop Redirector.lnk
backup=C:\WINDOWS\pss\BlackBerry Desktop Redirector.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-06-07 13:50 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-10-24 07:13 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 15:38]
R3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\rtl8180.sys [2003-10-01 10:54]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 07:00:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\TEMP\DJF9B6.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-13 7:07:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 13:07:23
.
2008-01-19 19:28:13 --- E O F ---
 
Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:08, on 2008-02-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\TEMP\DJF9B6.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SideACT.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {0A2FDC32-6C11-4463-B4C9-1DFAA5C84224} - C:\WINDOWS\System32\vjrbx.dll (file missing)
O2 - BHO: (no name) - {3934EFC2-5621-2DAC-5312-5D00B6CD8BB1} - C:\WINDOWS\system32\ioxzs.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Rqulance] "C:\Documents and Settings\heather\My Documents\F?nts\s?oolsv.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: SideACT!.lnk = C:\Program Files\SideACT.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099074538445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10146 bytes
 
Thanks for returning your information and the feedback, follow these directions in the posted order.

1) see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< your Java program is BADLY out of date and likely the reason you are infected. Download the newest version of Java and uninstall all old versions in Add Remove programs.

2) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: SDWin32 Class - {0A2FDC32-6C11-4463-B4C9-1DFAA5C84224} - C:\WINDOWS\System32\vjrbx.dll (file missing)
O2 - BHO: (no name) - {3934EFC2-5621-2DAC-5312-5D00B6CD8BB1} - C:\WINDOWS\system32\ioxzs.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [Rqulance] "C:\Documents and Settings\heather\My Documents\F?nts\s?oolsv.exe"
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Documents and Settings\heather\My Documents\F?nts\ <<< delete that folder if there

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log, let me know about any malware problems.

Thanks...Phil
 
You must log in or register to reply here.
Back
Top