Need help getting Malware/Virus off

[brathbm]

Hello,
I am have a lot of trouble getting some malware/virus off my computer. When I startup, there are Internet Explorer and svchost processes (showing in Zone Alarm) running that i can not shut down. I have tried using TrojanRemover and Virus Scan, but i keep getting the same errors time after time. When I try to run TrojanRemover in Safe Mode, it will not start. Here is the most current copy of my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:13:41 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mmall2.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\SYSTEM32\acs.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\208796.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\Temp\hijackthis\HijackThis. exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
F3 - REG:win.ini: run=C:\WINDOWS\mmall2.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {DABCE839-3831-3818-AF3A-3837BCD324D2} - C:\WINDOWS\system32\mskvtns.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Palm MulitUser Config] C:\Program Files\Palm\Configtool.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133294235765
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Any help is aperciated. Thanks!

[jholland1964]

You are showing at least one trojan in the HJT scan which is the
Troj/Cimuz-CR. There may be others but will need to see other scans.I would like for you to do several things. First of all Uninstall that TrojanScanner program. While it may be ok, obviously it is doing no good here so uninstall it.
You have entirely too much running in the background, one of which is the WebRoot Spysweeper, turn it off until given the ok.

Now you need to go here READ ME Before Posting A Request For Assistance!
Follow ALL steps exactly as given. I will need to see a Kaspersky online scan log, this will scan the computer but will not fix anything. But it WILL give us the location of various infected files. We need to see those. Do another online scan also and DO allow it to fix anything found.
Also when you use the AVG Anti-spy program be absolutely certain that you allow it to clean and quarantine anything it finds. You need to save the log as a text file for posting here once all is complete.

Download the newest version of HJT which is version 2. Delete the old version from the computer. Follow the instructions in the link above for proper location and RENAMING of HJT. This is vitally important.

Once you have completed all steps given in the link then post back here with the Kaspersky log, the AVG Anti-spy log, the log from whichever other online scan you use and then a new HJT log. We will go from there after seeing all those logs.

[brathbm]

Thanks jholland1964 for taking a look at this. I did not see the standard instructions before posting the first Hijackthis log.

I have run through all of the steps:
1) - 5) Complete
6) After running the MS Win Malicious SW Removal tool, there were nothing found.
7) I completed the Kaspersky Scan: KASPERSKY SCAN - before.txt
& I used BitDefender for the fixing: BitDefender Scan - after.txt
8A) Completed ATF-Cleaner
8B) Completed AVG Anti-Spyware scan: Report-Scan-20071118-023323.txt
8C) Completed MS Win Defender. Nothing found.

Afterward I booted into Normal mode. With the ZoneAlarm running, i noticed there still was a hidden Internet Explorer window open with data being sent. I stopped all running programs and collected an updated Hijackthis log (hijackthis.txt). I have attached the requested files. Thanks again.

[jholland1964]

This one does look much better. Where is your onboard anti-virus program? There isn't one showing in your log. This is a MUST. There are some very good FREE ones named here PROTECT YOURSELF FROM MALWARE: Tools & Tips
Pick one, download, install and update. Keep it running at all times.
I would like for you to run another Kaspersky scan and post that log.
One thing noted in both Kaspersky and Bitdefender...most of these were found in temp files. Keep these emptied. Let me go through these logs more thoroughly and will see if anything else needs to be done.
But give me the new Kaspersky log first.

[brathbm]

I had VirusScan Ver 7 running. I had shut it off when I was running the scans. One thing I noticed about it, there was an option to disable the On-access scan when ever you needed to do something that it might interfer with. However, for the last few days since I was trying to remove the malware, this option has been greyed out. I am not sure if it has been infected. I will run the Kaspersky scan again and post.

[jholland1964]

Just found this information;

As of April 30, 2007, McAfee Incorporated’s support lifecycle for McAfee VirusScan version 7.0 will end. The impact of this decision by McAfee is that computers running 7.0 will no longer be virus-protected after April 30th.

You need a new anti-virus program or you need to update to version 8

[PhilliePhan]

You need a new anti-virus program or you need to update to version 8

Better update that Java as well

PP

[brathbm]

OK. I have run an updated Kaspersky scan (KASPERSKY SCAN after clean.txt). After I ran the scan, i noticed that my computer got really slow. I used the Zone Alarm Internet lock, and noticed a bunch of data that was trying to be sent through a hidden Internet Explorer. I ran a MS Win Defender quick scan, and the data sending stopped. I will update the Virus Scan to Ver 8. How do I update the Java level? Thanks.

[jholland1964]

You need to go into Add/Remove and uninstall the Viewpoint Manager.

How do I update the Java level?

You should go to Download Java Software
Download the second choice which is the Offline Install. Save it to your desktop. Then go offline.
Next to back into Add/Remove and remove all instances of Java that you find there. Once you have done this then go to that Java Software that you downloaded, double click to install. Once it is installed then go to Verify Installation
to be certain that your update was complete.

Next do the following;
Download this file - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log in the next post.
Note:

• Do not mouseclick combofix's window while it is running. That may cause it to stall.

Post back with the combofix log and a new HJT log.

[brathbm]

I was able to update the java level. However, when I tried to use the combofix, it returned an error saying it was an old copy and uninstalled itself. Where can a get a current copy.

PS - Now my internet connection is inconsistent. I get a lot of unknown data being sent, then my DSL router goes nuts and cuts off. Thanks for the help you are providing.