Zlob, Smitfraud keeps coming back

[pskelley]

Nope, they are not hurting a thing, just making the HJT log a bit longer. Thanks for returning the combofix report and it did, indeed find more junk.

Let consider the issue of two antivirus programs running at once, this can not help but cause you many issues, see this:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

It appears McAfee is your antivirus program of choice, but these are also running:

C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

If you have not tried to remove Symantec in Add Remove Programs, please do so. If you have tried to remove it and can not, Sysmantec makes this tool available:
http://basconotw.mvps.org/SymRem.htm
If I am wrong in any of my assumptions, please stop and make me aware.

Once that issue is resolved, remove C:\Rustbfix, combofix, and the C:\Qoobox\Quarantine\ folder and then run a new Kaspersky Online Scan so we can make sure we did not miss anything. Please use these settings for the scan:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. Post a new HJT log so I can check it also.

Thanks

 

[Resin8]

Those Symantec things were Norton Personal Firewall, but I uninstalled them anyway. Sorry about the stuff on the H: drive. That is my camera memory card that I am using to transfer stuff from this computer & back. I am posting from my clean computer.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 8:30:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/04/2008
Kaspersky Anti-Virus database records: 725749
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 124330
Number of viruses found: 10
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:52:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\backups\backup-20080424-164000-898.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dzy skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbdam Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbdao Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbeam Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbeao Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbm Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\fii.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\hp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Desktop\b07a2787b6b6\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA67A.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD19C.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\RECYCLER\S-1-5-21-2829687332-1621281150-667988723-1003\Dc4\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP0\A0001141.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dzy skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP0\A0001144.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dzq skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP0\A0001145.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dzw skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP0\A0001154.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP0\A0001154.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP0\A0001154.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001290.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001290.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001290.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001291.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001293.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001294.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001304.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\A0001324.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{8153ACA8-C727-4835-A7D4-A3A2B949B296}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\sgoblxtm.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dzx skipped
C:\WINDOWS\spnkfwad.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dzv skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_PGauawjngBNawxj Object is locked skipped
H:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
H:\SmitfraudFix.exe RarSFX: infected - 2 skipped

Scan process completed.

--------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:01 PM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Yahoo!\YCentral\YahooCentral.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [YCentral] C:\Program Files\Yahoo!\YCentral\YahooCentral.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKUS\S-1-5-18\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll" (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ImageMixer for HDD Camcorder.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://real.gamehouse.com/games/chainz2/mjolauncher.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37590.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v55/cubis/cubis.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - http://savillustrations.com/valasek/images/col-4.jpg
O24 - Desktop Component 1: (no name) - http://www.lvtrikes.com/images_slide_show/build_16.jpg
O24 - Desktop Component 10: (no name) - http://www.bennyhinn.org/images/familyprayer8by6.jpg
O24 - Desktop Component 11: (no name) - http://usera.imagecave.com/sjssjs/caffinecat.jpg
O24 - Desktop Component 12: (no name) - http://www.uberplay.com/images/Ark_deskb_800.jpg
O24 - Desktop Component 13: (no name) - http://www.crystalinks.com/movamulet.gif
O24 - Desktop Component 14: (no name) - http://www.abrahamic-faith.com/images/Abrahamic-Faith_logo_small.gif
O24 - Desktop Component 15: (no name) - http://www.carverdoug.com/images/graphic_art/Drums_big.JPG
O24 - Desktop Component 16: (no name) - http://www.persecution.net/images/pnp/china_victory.jpg
O24 - Desktop Component 17: (no name) - http://www.dieselduck.ca/images/Martin_Older/MV_Alaska_Mariner.02.JPG
O24 - Desktop Component 18: (no name) - http://www.lindsaybks.com/gallery/Jorg/jbike.jpg
O24 - Desktop Component 2: (no name) - http://www.lvtrikes.com/images_slide_show/build_11.jpg
O24 - Desktop Component 3: (no name) - file:///C:/My%20Games/Mah%20Jong%20Quest/spacer.gif
O24 - Desktop Component 4: (no name) - http://image34.webshots.com/35/4/80/67/258848067HPfaKb_ph.jpg
O24 - Desktop Component 5: (no name) - http://www.artie.com/gifs/arg-clown0-nourl-tr.gif
O24 - Desktop Component 6: (no name) - file:///C:/My%20Games/Bricks%20of%20Camelot/spacer.gif
O24 - Desktop Component 7: (no name) - file:///C:/My%20Games/Mah%20Jong%20Medley/contentbox.gif
O24 - Desktop Component 8: (no name) - http://www.christianpulpit.com/images/dove2.gif
O24 - Desktop Component 9: (no name) - http://www.olivetreeviews.org/images/nav/logo.jpg

--
End of file - 14424 bytes

 

[pskelley]

Thanks for returning your information and the feedback. You could have left the personal firewall if you wished. That was why I posted this:

If I am wrong in any of my assumptions, please stop and make me aware

You must have a good firewall running, if you need links to free ones, let me know.

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Check your Java program for an update, I believe there is one.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:31:01 PM, on 4/25/2008
I am counting at least five Symantec Services running (023) and I am not posting the information again. I am sure those are not all about a personal firewall.

KASPERSKY ONLINE SCANNER REPORT Friday, April 25, 2008 8:30:23 PM

1) These are active Smitfraud trojans, make sure you delete these files in red

C:\WINDOWS\sgoblxtm.dll ------> AdWare.Win32.Vapsup.dzx skipped
C:\WINDOWS\spnkfwad.exe ------> AdWare.Win32.Vapsup.dzv skipped

2) Instructions: http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore
Delete this file in HJT Backups
C:\Documents and Settings\Owner\Desktop\backups\backup-20080424-164000-898.dll

3) C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll <<< delete that file

4) C:\Program Files\MSN Messenger\riched20.dll <<< delete that file

5) C:\RECYCLER\S-1-5-21-2829687332-1621281150-667988723-1003\Dc4\Reboot.exe <<< delete that file in the Recycle Bin

6) H:\SmitfraudFix.exe <<< delete that file

7) Restart the computer

8) Follow these directions to clean the infected System Restore files

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

There is no need to post a clean KOS results, which you should have if you followed the directions.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

 

[Resin8]

Thanks for all your help! The infection is gone and the computer no longer has that problem! Unfortunately, the computer is still very messed up, and will require an OS reload.

Thanks for all your help!!!!