Solved Win32 and Smitfraud infection

ComboFix 08-07-05.1 - Owner 2008-07-06 23:37:46.3 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-06 08:03 . 2008-07-06 08:03 89,088 --a------ C:\WINDOWS\system32\kexeinww.dll
2008-07-06 01:50 . 2008-07-06 01:50 294 --ahs---- C:\WINDOWS\system32\cxtcabmt.ini
2008-07-06 00:55 . 2008-07-06 00:55 <DIR> d-------- C:\Deckard
2008-07-06 00:53 . 2008-07-06 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 00:23 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-06 00:23 . 2005-02-22 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-06 00:23 . 2005-02-22 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-06 00:23 . 2008-07-06 00:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-05 22:53 . 2008-07-05 22:53 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2008-07-05 22:50 . 2008-07-05 22:50 <DIR> d-------- C:\Program Files\Enterbrain
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Recordpad
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-07-05 20:59 . 2008-07-05 20:59 <DIR> d-------- C:\Program Files\NCH Software
2008-07-05 20:59 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-05 20:57 . 2008-07-05 21:00 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-05 08:06 . 2008-07-05 08:06 <DIR> d-------- C:\MsSdkTmp
2008-07-04 23:53 . 2008-07-04 23:54 <DIR> d-------- C:\Program Files\BlitzPlusDemo
2008-07-03 23:07 . 2008-07-03 23:07 <DIR> d-------- C:\Program Files\Common Files\Bcgsoft
2008-07-03 23:02 . 2008-07-03 23:02 <DIR> d-------- C:\Program Files\The Game Creators
2008-07-03 22:53 . 2008-07-04 16:34 <DIR> d-------- C:\Program Files\MagicISO
2008-07-03 06:45 . 2008-07-03 22:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-07-03 06:45 . 2008-07-03 06:45 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-02 20:05 . 2008-07-02 20:05 <DIR> d-------- C:\Program Files\uTorrent
2008-07-02 20:05 . 2008-07-06 22:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 04:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-05 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 14:45 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-07-02 02:54 --------- d-----w C:\Program Files\LimeWire
2008-07-02 02:45 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-02 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-06-21 23:14 --------- d-----w C:\Program Files\iPod
2008-06-04 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-06-04 21:20 --------- d-----w C:\Program Files\Ahead
2008-06-04 21:19 --------- d-----w C:\Program Files\Microsoft Works
2008-06-04 21:14 --------- d-----w C:\Program Files\DivX
2008-06-04 21:12 --------- d-----w C:\Program Files\FontLab
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2007-06-29 02:23 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-04-03 14:24 56 --sh--r C:\WINDOWS\system32\86F63302B7.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-06_ 2.02.31.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-06 06:44:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 03:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"NBJ "= "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 20:20 98304]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 20:20 499712]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2004-09-02 16:44 249856]
"SiSUSBRG "= "C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 19:15 106496]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Recordpad "= "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" [2008-07-05 20:59 577540]
"MW1HelperStartUp "= "C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE" [BU]
"MCUpdateExe "= "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [BU]
"Antivirus "= "C:\Program Files\VAV\vav.exe" [BU]
"SoundMan "= "SOUNDMAN.EXE" [2004-07-01 21:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower "= "SiSPower.dll" [2004-09-02 14:47 49152 C:\WINDOWS\system32\SiSPower.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-02-22 20:20:19 331776]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe "=
"C:\\Program Files\\uTorrent\\uTorrent.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP "= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP "= 9842:UDP:*isabled:SolidNetworkManager

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys [2004-09-08 11:38]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Bots\GameGuard\dump_wmimmc.sys []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 23:44:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-06 23:52:53
ComboFix-quarantined-files.txt 2008-07-07 04:52:40
ComboFix2.txt 2008-07-07 04:12:03
ComboFix3.txt 2008-07-06 07:04:59

Pre-Run: 32,747,343,872 bytes free
Post-Run: 32,780,419,072 bytes free

121 --- E O F --- 2008-06-20 05:12:04

 

That's very odd ........ the log tells me that you used a CFScript to run ComboFix, but it doesn't appear any of the commands were carried out. Please repeat my last set of instructions, making very sure that the CFScript contains the contents of the code box after saving it and prior to using it.

Oh, and did you download a fresh copy as instructed? It doesn't appear to be the latest version.

 

Yeah, it's a fresh copy exact from the link. I'll check the script page and run it again.

 

The file never saved, it was empty. Better now:

ComboFix 08-07-05.1 - Owner 2008-07-07 0:21:39.4 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\cxtcabmt.ini
C:\WINDOWS\system32\kexeinww.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cxtcabmt.ini
C:\WINDOWS\system32\kexeinww.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-06 00:55 . 2008-07-06 00:55 <DIR> d-------- C:\Deckard
2008-07-06 00:53 . 2008-07-06 00:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-06 00:23 . 2004-08-27 04:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-07-06 00:23 . 2005-02-22 20:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-07-06 00:23 . 2005-02-22 20:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-07-06 00:23 . 2008-07-06 00:23 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-05 22:53 . 2008-07-05 22:53 <DIR> d-------- C:\Program Files\Common Files\Enterbrain
2008-07-05 22:50 . 2008-07-05 22:50 <DIR> d-------- C:\Program Files\Enterbrain
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Recordpad
2008-07-05 21:00 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-07-05 20:59 . 2008-07-05 20:59 <DIR> d-------- C:\Program Files\NCH Software
2008-07-05 20:59 . 2008-07-05 21:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-05 20:57 . 2008-07-05 21:00 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-07-05 08:06 . 2008-07-05 08:06 <DIR> d-------- C:\MsSdkTmp
2008-07-04 23:53 . 2008-07-04 23:54 <DIR> d-------- C:\Program Files\BlitzPlusDemo
2008-07-03 23:07 . 2008-07-03 23:07 <DIR> d-------- C:\Program Files\Common Files\Bcgsoft
2008-07-03 23:02 . 2008-07-03 23:02 <DIR> d-------- C:\Program Files\The Game Creators
2008-07-03 22:53 . 2008-07-04 16:34 <DIR> d-------- C:\Program Files\MagicISO
2008-07-03 06:45 . 2008-07-03 22:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-07-03 06:45 . 2008-07-03 06:45 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-02 20:05 . 2008-07-02 20:05 <DIR> d-------- C:\Program Files\uTorrent
2008-07-02 20:05 . 2008-07-06 22:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 05:55 . 2008-06-13 08:10 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-06 04:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-05 21:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 14:45 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-07-02 02:54 --------- d-----w C:\Program Files\LimeWire
2008-07-02 02:45 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-02 02:45 --------- d-----w C:\Documents and Settings\Owner\Application Data\AOL
2008-06-21 23:14 --------- d-----w C:\Program Files\iPod
2008-06-04 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-06-04 21:20 --------- d-----w C:\Program Files\Ahead
2008-06-04 21:19 --------- d-----w C:\Program Files\Microsoft Works
2008-06-04 21:14 --------- d-----w C:\Program Files\DivX
2008-06-04 21:12 --------- d-----w C:\Program Files\FontLab
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2007-06-29 02:23 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-04-03 14:24 56 --sh--r C:\WINDOWS\system32\86F63302B7.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-06_ 2.02.31.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-06 06:44:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 03:56:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"NBJ "= "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 20:20 98304]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 20:20 499712]
"RemoteControl "= "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768]
"SiS Windows KeyHook "= "C:\WINDOWS\system32\keyhook.exe" [2004-09-02 16:44 249856]
"SiSUSBRG "= "C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 19:15 106496]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Recordpad "= "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" [2008-07-05 20:59 577540]
"MW1HelperStartUp "= "C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE" [N/A]
"MCUpdateExe "= "C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [N/A]
"SoundMan "= "SOUNDMAN.EXE" [2004-07-01 21:23 67584 C:\WINDOWS\SOUNDMAN.EXE]
"SiSPower "= "SiSPower.dll" [2004-09-02 14:47 49152 C:\WINDOWS\system32\SiSPower.dll]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-02-22 20:20:19 331776]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\America Online 9.0\\waol.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe "=
"C:\\Program Files\\uTorrent\\uTorrent.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP "= 9842:TCP:*isabled:SolidNetworkManager
"9842:UDP "= 9842:UDP:*isabled:SolidNetworkManager

R3 HSFHWSIS;HSFHWSIS;C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys [2004-09-08 11:38]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\Bots\GameGuard\dump_wmimmc.sys []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 00:27:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-07 0:35:01
ComboFix-quarantined-files.txt 2008-07-07 05:34:47
ComboFix2.txt 2008-07-07 04:52:56
ComboFix3.txt 2008-07-07 04:12:03
ComboFix4.txt 2008-07-06 07:04:59

Pre-Run: 32,805,933,056 bytes free
Post-Run: 32,795,725,824 bytes free

126 --- E O F --- 2008-06-20 05:12:04

 

Much better

Lets see if we've missed anything. Please scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and a fresh HijackThis log to this topic.

 

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 07, 2008 12:01:19
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/07/2008
Kaspersky Anti-Virus database records: 919808
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 113329
Number of viruses found: 21
Number of infected objects: 57
Number of suspicious objects: 0
Duration of the scan process: 02:00:19

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\nscAA.tmp\onestep.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\nscAA.tmp\onestep.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\nscAA.tmp\osopt.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CHUPUJCN\google[2].htm Infected: Trojan-Downloader.JS.IstBar.z skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CLEY0OOH\google[2].htm Infected: Trojan-Downloader.JS.IstBar.z skipped
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\CLEY0OOH\prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.ab skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONE2.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.d skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONE2.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONE2.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONE2.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONE2.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONEBF.tmp\upgrade.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONEBF.tmp\upgrade.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONEBF.tmp\upgrade.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONEBF.tmp\upgrade.exe/stream Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\Deckard\System Scanner\backup\WINDOWS\temp\ONEBF.tmp\upgrade.exe NSIS: infected - 4 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-24e873b1.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-24e873b1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2763b732.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2763b732.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\bp3facv4.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe.vir Infected: not-a-virus:FraudTool.Win32.Antivirus2008pro.ah skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\0.exe.vir Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.z skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\1.exe.vir Infected: not-a-virus:FraudTool.Win32.Agent.p skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\2.exe.vir Infected: not-a-virus:FraudTool.Win32.Agent.o skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\3.exe.vir Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.x skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\4.exe.vir Infected: Trojan.Win32.Agent.tep skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir/data.rar/vav.cpl Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.h skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir/data.rar/vav.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.aa skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir/data.rar Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.aa skipped
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir RarSFX: infected - 3 skipped
C:\QooBox\Quarantine\C\Program Files\VAV\vav.cpl.vir Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.h skipped
C:\QooBox\Quarantine\C\WINDOWS\esrp.exe.vir Infected: Trojan.Win32.Vapsup.hvn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0227792.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.aa skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228779.exe Infected: not-a-virus:FraudTool.Win32.Agent.p skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228780.exe Infected: not-a-virus:FraudTool.Win32.Agent.o skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228781.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.x skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228782.exe Infected: Trojan.Win32.Agent.tep skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228786.dll Infected: Trojan.Win32.Vapsup.hvm skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228787.dll Infected: Trojan.Win32.Vapsup.hvo skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228788.dll Infected: Trojan.Win32.Vapsup.hvl skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP549\A0228789.dll Infected: Trojan.Win32.Vapsup.hvp skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228829.cpl Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.h skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228830.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.z skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228831.exe Infected: not-a-virus:FraudTool.Win32.Agent.p skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228832.exe Infected: not-a-virus:FraudTool.Win32.Agent.o skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228833.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.x skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228834.exe Infected: Trojan.Win32.Agent.tep skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228835.exe/data.rar/vav.cpl Infected: not-a-virus:FraudTool.Win32.UltimateAntivirus.h skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228835.exe/data.rar/vav.exe Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.aa skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228835.exe/data.rar Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.aa skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228835.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228838.exe Infected: not-a-virus:FraudTool.Win32.Antivirus2008pro.ah skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP551\A0228846.exe Infected: Trojan.Win32.Vapsup.hvn skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP555\A0229019.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP555\A0229019.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP555\A0229023.exe Infected: Trojan-Downloader.Win32.Zlob.qst skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP555\A0229038.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP556\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A7DDE85E-6EBB-4486-A4DD-E8D2492DC462}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP556\change.log Object is locked skipped

Scan process completed.

 

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:27, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {836EB4DD-AE34-40C7-B8FD-E8CC9ECC9962} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.bigfishgames.com/online/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4C563F3F-5621-4F23-BAC8-6B84DCA61AB2} (GoonzuGlobal_downloader Control) - http://cdn.goonzu.com/gscdnSkins/GoonzuGlobal_downloader1222.cab
O16 - DPF: {8494B5D2-DA6A-4BB8-9C15-6C18A312387E} (Caymas Secure Tunnel) - https://connect.rehabcare.com/ui/Axt.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7758 bytes

 

Looks great! Just a couple of Java temp files infected. The rest are all in quarantine by Deckards and ComboFix, and in System Restore points. Lets clean it up!

Highlight and copy the contents of the code box below.

Code:

del /q  "C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-24e873b1.zip "
del /q  "C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-2763b732.zip "
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.


Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot


How's the computer behaving now?

 

The computer is running great; however, the time is still in Military time- the spyware changed that, so do you know how to get it back? Other than that- it's fixed. Thanks a bunch...

 

Click here to run clock_fix
You can either save it or run it ... doesn't matter. Let me know how it turns out please

 

Upon a restart, the clock has been fixed. Thanks for all of your help.

 

Great! Happy to help, and you're most welcome.

Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!