Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Infected with zlob malware

  1. #1
    Junior Member
    Join Date
    Oct 2007
    Posts
    12

    Exclamation Infected with zlob malware

    Thursday, October 11, 2007 6:11:27 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 11/10/2007
    Kaspersky Anti-Virus database records: 431126
    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true
    Scan Target My Computer
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    Scan Statistics
    Total number of scanned objects 83227
    Number of viruses found 12
    Number of infected objects 86
    Number of suspicious objects 0
    Duration of the scan process 01:40:36

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-09192007-170124.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentci.zip/netadv.dll Infected: not-a-virus:AdWare.Win32.Agent.fh skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentci.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch1.zip/dwdsrngt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch1.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch3.zip/rwintldt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.r skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch3.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch9.zip/dwdsrngt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch9.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip/VideoAccessCodec.ocx Infected: Trojan.Win32.Agent.bxg skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\Normal.dotm Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\cert8.db Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\history.dat Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\key3.db Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\parent.lock Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\AOL OCP\AIM\Storage\data\zlink100\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{3D663FA0-B8FB-4539-A188-7A57F3531EAC} Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\057uwyjv.default\XUL.mfl Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temp\New Folder\codecname1342.exe/stream/Script Infected: Trojan.Win32.DNSChanger.jf skipped
    C:\Documents and Settings\Owner\Local Settings\Temp\New Folder\codecname1342.exe/stream Infected: Trojan.Win32.DNSChanger.jf skipped
    C:\Documents and Settings\Owner\Local Settings\Temp\New Folder\codecname1342.exe NSIS: infected - 2 skipped
    C:\Documents and Settings\Owner\Local Settings\Temp\vpnxgv.exe Infected: Trojan-Downloader.Win32.Zlob.dhj skipped
    C:\Documents and Settings\Owner\Local Settings\Temp\~DFEF28.tmp Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temp\~DFEF34.tmp Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temp\~DFF6EF.tmp Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.Word\~WRF{FD4B8EFD-7773-47EB-9D10-EE720F734B91}.tmp Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.Word\~WRS{AF26851E-9C35-4C0C-AFEF-977DEE3296BF}.tmp Object is locked skipped
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.Word\~WRS{EEF9C596-9CFF-4F98-BE22-7FBF09AD9ECC}.tmp Object is locked skipped
    C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
    C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
    C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
    C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
    C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP10\change.log Object is locked skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004601.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004601.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004601.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004602.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004602.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004602.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004603.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004603.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004603.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004605.exe Infected: Trojan-Downloader.Win32.Zlob.dhj skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004607.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004607.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004607.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004608.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004608.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004608.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004609.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004609.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004609.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004610.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004610.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004610.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004611.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004611.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004611.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004612.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004612.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004612.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004613.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004613.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004613.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004614.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004614.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004614.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004623.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004623.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004623.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004624.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004624.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004624.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004625.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004625.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004625.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004626.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004626.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004626.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004627.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004627.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004627.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004628.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004628.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004628.exe NSIS: infected - 2 skipped

  2. #2
    Junior Member
    Join Date
    Oct 2007
    Posts
    12

    Default

    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004629.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004629.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004629.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004630.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004630.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004630.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004631.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004631.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dhi skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP8\A0004631.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP9\A0005673.dll Infected: not-a-virus:AdWare.Win32.Agent.fh skipped
    C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP9\A0005675.ocx Infected: Trojan.Win32.Agent.bxg skipped
    C:\WINDOWS\bndsrsvk.dll Infected: not-a-virus:AdWare.Win32.Agent.fh skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\main_uninstaller.exe Infected: not-a-virus:AdWare.Win32.Agent.jr skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\chks2\MSI17bb.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
    C:\WINDOWS\system32\chks2\MSI17bb.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
    C:\WINDOWS\system32\chks2\MSI17bb.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
    C:\WINDOWS\system32\chks2\MSI17bb.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
    C:\WINDOWS\system32\chks2\MSI17bb.exe NSIS: infected - 4 skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
    C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:06:32 PM, on 10/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\sstray.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\qomnmkh.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [bal] C:\Program Files\WinMsg\SYSMONMS.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubles.../usbaptest.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files...reeInstall.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v48/pool/pool.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...9/mcinsctl.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aimprods01.webex.com/client/...ex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O20 - Winlogon Notify: qomnmkh - qomnmkh.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

    --
    End of file - 10186 bytes


    These are results of my kaspersky and hijackthis! scans. I think i am infected with 5 types of the zlob trojan and they are all annoying. i cant get rid of them with spybot even in safe mode nor when i start up my computer. please help!

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    I apologize for the wait, volunteers are overwhelmed at all forums

    See this: http://forums.spybot.info/showpost.p...80&postcount=2
    C:\Program Files\Java\j2re1.4.2\ <<< your Java program is BADLY out of date and likely the reason you are infected. Download the newest version and uninstall all old versions in Add Remove programs.

    Some of the Kaspersky items are here:
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< Open Spybot S&D and click the white case with the red X and delete the contents.

    Much is in System Restore and we will clean it before we finish. It can not reinfect you unless you do a System Restore, so DO NOT.


    http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

    Search:
    Double-click SmitfraudFix.exe
    Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consultin...rocessutil.htm

    Post ONLY the C:\rapport.txt

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  4. #4
    Junior Member
    Join Date
    Oct 2007
    Posts
    12

    Default

    Thanks for answering to my reply. May be late, but better than nothing after all. About Java, haven't really been up to date with it . Here is my Smitfraud report.

    SmitFraudFix v2.240

    Scan done at 22:09:27.54, Wed 10/17/2007
    Run from C:\Documents and Settings\Owner\Downloads\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sstray.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    127.0.0.1 www.legal-at-spybot.info
    127.0.0.1 legal-at-spybot.info

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="kdqor.exe"

    kdqor.exe detected !


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport
    DNS Server Search Order: 208.67.220.220
    DNS Server Search Order: 208.67.222.222

    Description: NVIDIA nForce MCP Networking Controller - Packet Scheduler Miniport
    DNS Server Search Order: 208.67.220.220
    DNS Server Search Order: 208.67.222.222

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{FECA71FA-F1E0-497A-8D60-7FA26B779D35}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{FECA71FA-F1E0-497A-8D60-7FA26B779D35}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{FECA71FA-F1E0-497A-8D60-7FA26B779D35}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    I hope you answer soon.

    On an unrelated note, I see that you are a Zelda fan. Me too! lol! Anyway, thanks again in advance

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information and the feedback, Smitfraud has found that infection, follow these directions.

    http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed

    Clean:
    Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    Double-click SmitfraudFix.exe
    Select 2 and hit Enter to delete infect files.
    You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:
    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

    Post the C:\rapport.txt, a new HJT log and let me know how the computer is running now.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Junior Member
    Join Date
    Oct 2007
    Posts
    12

    Default

    Thanks for responding so quickly. apparently when i ran Smitfraud, my desktop became none. Are all my settings changed to their default know? i say this because Teatimer kept on warning me about changes to my computer after I rebooted and they looked like the default settings. anyway, here is my HJT log (My Smitfraud log was over 5 posts long so I didn't put it in).

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:58:09 PM, on 10/18/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sstray.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Comodo\Comodo AntiVirus\CAVSubmit.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubles.../usbaptest.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files...reeInstall.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v48/pool/pool.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...9/mcinsctl.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aimprods01.webex.com/client/...ex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
    O20 - Winlogon Notify: qomnmkh - qomnmkh.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 9939 bytes

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    I have never seen a Smitfraudfix report that big, I will guess since the "search" function found this:
    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !


    That it is long beause of the corrupted Hosts file Smitfraudfix removed. Can you edit out the Hosts file information and post the rest?

    I am also going to guess that this: 208.67.220.220 has nothing to do with your ISP and was placed on your computer by the hackers. See what it is:
    http://whois.domaintools.com/208.67.220.220
    Hackers have been using that number a lot lately, if you have any doubts, check with your Internet Service Provider before you remove those.

    We still have work to do, proceed like this.

    How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    TeaTimer will block changes we must make, use these instructions to turn it off until you are finished.
    http://russelltexas.com/malware/teatimer.htm

    Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    (first item is valid, but damaged, install it again if you use it once we finish)

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files...reeInstall.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer = 208.67.220.220,208.67.222.222
    O20 - Winlogon Notify: qomnmkh - qomnmkh.dll (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\WINDOWS\system32\dwdsrngt.exe <<< delete that file

    Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart the computer and post a new HJT log. Let me know how the computer is performing now.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Oct 2007
    Posts
    12

    Default

    Here is my Smitfaud report:

    SmitFraudFix v2.240

    Scan done at 15:38:25.18, Thu 10/18/2007
    Run from C:\Documents and Settings\Owner\Downloads\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{FECA71FA-F1E0-497A-8D60-7FA26B779D35}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{FECA71FA-F1E0-497A-8D60-7FA26B779D35}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{3232AE7C-D6A2-48FD-843F-C234D416333F}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{892EBBC2-CFB6-4CBC-A1A6-FEEADB57EECB}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{FECA71FA-F1E0-497A-8D60-7FA26B779D35}: DhcpNameServer=208.67.220.220,208.67.222.222
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"="kdqor.exe"

    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» Reboot

    C:\WINDOWS\system32\kdqor.exe not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» End

    Next, I couldn't download ATFcleaner.exe.
    I removed everything i could remove with hijack this! I couldn't remove O17 - HKLM\System\CCS\Services\Tcpip\..\{A129D44B-2356-48D6-8995-6486AB120FE2}: NameServer = 208.67.220.220,208.67.222.222 though because i couldn't find it.
    Finally comes my HJT log. Well, here it is:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:23:27 PM, on 10/18/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sstray.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubles.../usbaptest.cab
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v48/pool/pool.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...9/mcinsctl.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aimprods01.webex.com/client/...ex/ieatgpc.cab
    O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
    O20 - Winlogon Notify: qomnmkh - C:\WINDOWS\
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 9121 bytes

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    While we really do not need to use ATF-Cleaner, is is a great free fool and I was wondering why you could not download it. I clicked the link and had no problems:
    http://www.atribune.org/content/view/25/2/ <<< here

    http://www.atribune.org/public-beta/ATF-Cleaner.exe <<< download

    You may also use CleanManager: http://spyware-free.us/tutorials/cleanmgr/

    We still have junk that was not remove, it is very important that you turn TeaTimer off as instructed. It will block the changes we must make.
    Please follow the directions exactly, let me know if you can not do any of them.

    1) Turn TeaTimer completely off:
    http://russelltexas.com/malware/teatimer.htm

    2) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
    O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
    O20 - Winlogon Notify: qomnmkh - C:\WINDOWS\

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    4) RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\WINDOWS\system32\dwdsrngt.exe <<< delete that file
    5) Run clean manager
    http://spyware-free.us/tutorials/cleanmgr/

    Restart the computer and post a new HJT log, let me know how the computer is running.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  10. #10
    Junior Member
    Join Date
    Oct 2007
    Posts
    12

    Default

    That second link for ATF-cleaner worked actually. The first just sent me to some website for it. Next, when I used it, it said "no files removed". What does that mean? When I tried downloading Cleanmanager, I was sent to a website the a banner at the top, a copyright at bottom, and a lot of white space in the center. Finally, I still couldn't locate that file in system 32, and all hidden files are being shown. Here is my most recent HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:17:44 PM, on 10/18/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\sstray.exe
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
    O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubles.../usbaptest.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v48/pool/pool.cab
    O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...9/mcinsctl.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://aimprods01.webex.com/client/...ex/ieatgpc.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    --
    End of file - 7815 bytes

    Thanks again for helping me out with my problems. You guys are the best!
    BTW nothing has really been developing with the zlobs. Nothing has gotten worse, but nothing has improved. Anyway, thanks again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •