Problems with zlob.DNSChanger and Zlock.uc

**pleasehelp25** · 2007-12-02, 22:59

Hi There:

I have tried to follow the procedure given in the "before you post" thread, however i was unable to get my computer to reboot in safe mode after attempting to do so several times. What i have done is:

1. Run Mcaffee virusscan 3 times (i have purchased this program)
2. Run Adaware 2007 2 times
3. Run the new version of spybot search and destroy several times..the zlob.DNSChanger and Zlock.uc seem to be reinstalled as they are there everytime i run it.
4. Run the karpersky log once.

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:30 PM, on 02/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\adaware2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
G:\Zen Micro\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Integrator.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
G:\PROGRA~1\YAHOOM~1\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\MEGAN MARI\Application Data\Mozilla\Profiles\default\qwwvc1at.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://g%3A%5Cnetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MEGAN MARI\Application Data\Mozilla\Profiles\default\qwwvc1at.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7c3a1e04-1dd2-11b2-8dbf-ccb88fc221dd} - C:\WINDOWS\wrqzmpqz.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {b58ae21e-1dd1-11b2-80e9-e1e0cd9d1e2c} - C:\WINDOWS\ovubwnkz.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\AdobeReader8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [yvyvwvex] rundll32.exe "C:\Program Files\yvyvwvex\opqpuzof.dll",Init
O4 - HKLM\..\Run: [tqtetezo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\tqtetezo.dll"
O4 - HKLM\..\Run: [rehinsvc] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rehinsvc.dll"
O4 - HKLM\..\Run: [vadafaxe] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vadafaxe.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P22 "EPSON Stylus COLOR 580" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\PROGRA~1\YAHOOM~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Detector] G:\Zen Micro\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKLM\..\Policies\Explorer\Run: [exshIe0Sn2] rundll32.exe "C:\WINDOWS\PeMon\pemon.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - G:\EmpirePoker\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - G:\EmpirePoker\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\Program Files\YahooMessenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\Program Files\YahooMessenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab53083.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab53083.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/bingame/zpagames...n.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab53852.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O22 - SharedTaskScheduler: WaitWain for Windows - {C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\adaware2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 11154 bytes

Karpersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 02, 2007 3:10:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/12/2007
Kaspersky Anti-Virus database records: 470424
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 78518
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:30:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\ODSLog\Megan Mari_ods.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Megan Mari\Application Data\Mozilla\Firefox\Profiles\default.znu\cert8.db Object is locked skipped
C:\Documents and Settings\Megan Mari\Application Data\Mozilla\Firefox\Profiles\default.znu\formhistory.dat Object is locked skipped
C:\Documents and Settings\Megan Mari\Application Data\Mozilla\Firefox\Profiles\default.znu\history.dat Object is locked skipped
C:\Documents and Settings\Megan Mari\Application Data\Mozilla\Firefox\Profiles\default.znu\key3.db Object is locked skipped
C:\Documents and Settings\Megan Mari\Application Data\Mozilla\Firefox\Profiles\default.znu\parent.lock Object is locked skipped
C:\Documents and Settings\Megan Mari\Application Data\Mozilla\Firefox\Profiles\default.znu\search.sqlite Object is locked skipped
C:\Documents and Settings\Megan Mari\Application Data\Mozilla\Firefox\Profiles\default.znu\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Megan Mari\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.znu\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.znu\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.znu\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.znu\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\History\History.IE5\MSHist012007120220071203\index.dat Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Temp\~DFCE4.tmp Object is locked skipped
C:\Documents and Settings\Megan Mari\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Megan Mari\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Megan Mari\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1CD8DC00-DE64-4B53-90E8-2BE03A2CEB16}\RP1107\A0099292.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{1CD8DC00-DE64-4B53-90E8-2BE03A2CEB16}\RP1110\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B7A5DF19-7F9E-4A9C-AF2B-8764AFA40630}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{1CD8DC00-DE64-4B53-90E8-2BE03A2CEB16}\RP1110\change.log Object is locked skipped

Scan process completed.

**Shaba** · 2007-12-04, 13:28

Hi pleasehelp25

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

**pleasehelp25** · 2007-12-04, 16:33

Hi There:
First of all thank you so very much for your prompt reply! I need my computer back desperately and i really appreciate your help.

I downloaded combofix and ran it, however i have a feeling i might have to run it again. While the program was running, my mcafee virusscan kept popping up that combofix was running suspicious scripts and was stopped, so i would hit "allow this time". In addition, i received several alerts from spybot search and destroy regarding changes that had been made and whether i wanted to allow them or not...at first i was saying deny (because i thought these were changes from the virus i have) but i suppose they might have been changes from the combofix? Please let me know. I did allow it to delete one thing that i recognized as a virus file. I can post the log from the spybot resident of what i changed if you need to see that.

Combofix log:

ComboFix 07-12-02.6 - Megan Mari 2007-12-04 9:08:41.1 - NTFSx86
Running from: C:\Documents and Settings\Megan Mari\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Megan Mari\Application Data\dach100.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 19:15 . 2007-12-03 22:51 <DIR> d-------- C:\Documents and Settings\Megan Mari\.housecall6.6
2007-12-03 09:06 . 2007-12-03 09:06 106,496 --a------ C:\WINDOWS\gpcbkbgr.dll
2007-12-02 15:49 . 2007-12-02 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 15:41 . 2007-12-02 15:41 106,496 --a------ C:\WINDOWS\ovubwnkz.dll
2007-12-02 10:26 . 2007-12-02 10:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-02 10:26 . 2007-12-02 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-02 10:02 . 2007-12-02 10:02 114,688 --a------ C:\WINDOWS\wrqzmpqz.dll
2007-12-02 02:12 . 2007-12-02 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 01:05 . 2007-12-02 01:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 19:09 . 2007-12-01 19:10 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-12-01 19:09 . 2007-12-01 19:09 <DIR> d-------- C:\WINDOWS\PeMon
2007-12-01 19:09 . 2007-12-01 19:09 <DIR> d-------- C:\WINDOWS\keehnkwp
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpF8215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpDD215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpDB215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpCF215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpB2315.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpA4315.FOT
2007-11-28 23:35 . 2007-11-29 22:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-27 21:47 . 1997-02-24 10:38 455,168 --a------ C:\WINDOWS\system32\redllw32.dll
2007-11-27 21:47 . 1997-02-24 10:27 240,128 --a------ C:\WINDOWS\system32\PDDLLW32.DLL
2007-11-27 21:47 . 2007-11-27 21:47 33,803 --a------ C:\WINDOWS\DeIsL1.isu
2007-11-17 22:59 . 2007-12-01 19:28 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 06:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-02 07:56 --------- d-----w C:\Program Files\Google
2007-11-18 21:07 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-18 21:04 --------- d-----w C:\Documents and Settings\Megan Mari\Application Data\AdobeUM
2007-10-18 02:41 --------- d-----w C:\Program Files\Java
1998-08-24 18:09 10,000 -c--a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c3a1e04-1dd2-11b2-8dbf-ccb88fc221dd}]
2007-12-02 10:02 114688 --a------ C:\WINDOWS\wrqzmpqz.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ae20b2e4-1dd1-11b2-9a08-944ab0ccba0d}]
2007-12-03 09:06 106496 --a------ C:\WINDOWS\gpcbkbgr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b58ae21e-1dd1-11b2-80e9-e1e0cd9d1e2c}]
2007-12-02 15:41 106496 --a------ C:\WINDOWS\ovubwnkz.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"EPSON Stylus COLOR 580"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.exe" [2001-09-13 13:53]
"Yahoo! Pager"="G:\PROGRA~1\YAHOOM~1\YAHOOM~1.exe" [2007-08-30 17:43]
"Creative Detector"="G:\Zen Micro\Detector\CTDetect.exe" [2004-12-02 18:23]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"SpybotSD TeaTimer"="G:\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 01:34 C:\WINDOWS\SOUNDMAN.EXE]
"AlcFDMonitor"="C:\WINDOWS\ALCFDRTM.EXE" [2004-01-26 20:04]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 01:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-02 22:30]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 12:05]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"Adobe Reader Speed Launcher"="G:\AdobeReader8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"system"="kdrdk.exe"

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 09:24:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\kdrdk.exe 66099 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-12-04 9:26:15 - machine was rebooted
.
--- E O F ---

HIjack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:18 AM, on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\adaware2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
G:\Zen Micro\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\Integrator.exe
G:\PROGRA~1\YAHOOM~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\MEGAN MARI\Application Data\Mozilla\Profiles\default\qwwvc1at.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://g%3A%5Cnetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MEGAN MARI\Application Data\Mozilla\Profiles\default\qwwvc1at.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7c3a1e04-1dd2-11b2-8dbf-ccb88fc221dd} - C:\WINDOWS\wrqzmpqz.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {ae20b2e4-1dd1-11b2-9a08-944ab0ccba0d} - C:\WINDOWS\gpcbkbgr.dll
O2 - BHO: (no name) - {b58ae21e-1dd1-11b2-80e9-e1e0cd9d1e2c} - C:\WINDOWS\ovubwnkz.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\AdobeReader8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P22 "EPSON Stylus COLOR 580" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\PROGRA~1\YAHOOM~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Detector] G:\Zen Micro\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [exshIe0Sn2] rundll32.exe "C:\WINDOWS\PeMon\pemon.dll",DllCleanServer
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - G:\EmpirePoker\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - G:\EmpirePoker\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab53083.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab53083.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/bingame/zpagames...n.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab53852.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O22 - SharedTaskScheduler: WaitWain for Windows - {C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\adaware2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 10691 bytes

**Shaba** · 2007-12-04, 16:43

Hi

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\gpcbkbgr.dll
C:\WINDOWS\ovubwnkz.dll
C:\WINDOWS\wrqzmpqz.dll

Folder::
C:\WINDOWS\keehnkwp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c3a1e04-1dd2-11b2-8dbf-ccb88fc221dd}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ae20b2e4-1dd1-11b2-9a08-944ab0ccba0d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b58ae21e-1dd1-11b2-80e9-e1e0cd9d1e2c}]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**pleasehelp25** · 2007-12-04, 18:33

I am at work right now so I am unable to complete the steps you requested until later on today, however i will do so as soon as i get home. I have a question though: Should i somehow disable mcafee virusscan so it doesn't interfere with the fixes as well or is it ok to leave it running?

**Shaba** · 2007-12-04, 18:37

Hi

It should not interfere.

**pleasehelp25** · 2007-12-04, 18:41

Thank you so much

Will post logs later today.

**Shaba** · 2007-12-04, 18:42

Hi

You're welcome and I'll be waiting

**pleasehelp25** · 2007-12-05, 00:45

Hi Shaba:

I think the combofix worked better this time (at least it seemed to delete more stuff!).

Fixwareoutlog:

Username "Megan Mari" - 04/12/2007 17:26:22 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdrdk.exe"

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\TEMP\kdrdk.ren 66099 04/08/2004

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"AlcFDMonitor"="C:\\WINDOWS\\ALCFDRTM.EXE"
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"Adobe Reader Speed Launcher"="\"G:\\AdobeReader8.0\\Reader\\Reader_sl.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"EPSON Stylus COLOR 580"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_AICN03.EXE /P22 \"EPSON Stylus COLOR 580\" /O6 \"USB001\" /M \"Stylus COLOR 580\""
"Yahoo! Pager"="\"G:\\PROGRA~1\\YAHOOM~1\\YAHOOM~1.EXE\" -quiet"
"Creative Detector"="G:\\Zen Micro\\Detector\\CTDetect.exe /R"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Combofix log:

ComboFix 07-12-02.6 - Megan Mari 2007-12-04 17:35:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.673 [GMT -6:00]
Running from: C:\Documents and Settings\Megan Mari\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Megan Mari\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\gpcbkbgr.dll
C:\WINDOWS\ovubwnkz.dll
C:\WINDOWS\wrqzmpqz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Megan Mari\Application Data\dach100.dll
C:\WINDOWS\gpcbkbgr.dll
C:\WINDOWS\keehnkwp
C:\WINDOWS\keehnkwp\1.png
C:\WINDOWS\keehnkwp\2.png
C:\WINDOWS\keehnkwp\3.png
C:\WINDOWS\keehnkwp\4.png
C:\WINDOWS\keehnkwp\5.png
C:\WINDOWS\keehnkwp\6.png
C:\WINDOWS\keehnkwp\7.png
C:\WINDOWS\keehnkwp\8.png
C:\WINDOWS\keehnkwp\9.png
C:\WINDOWS\keehnkwp\bottom-rc.gif
C:\WINDOWS\keehnkwp\config.png
C:\WINDOWS\keehnkwp\content.png
C:\WINDOWS\keehnkwp\download.gif
C:\WINDOWS\keehnkwp\frame-bg.gif
C:\WINDOWS\keehnkwp\frame-bottom-left.gif
C:\WINDOWS\keehnkwp\frame-h1bg.gif
C:\WINDOWS\keehnkwp\head.png
C:\WINDOWS\keehnkwp\icon.png
C:\WINDOWS\keehnkwp\index.html
C:\WINDOWS\keehnkwp\main.css
C:\WINDOWS\keehnkwp\memory-prots.png
C:\WINDOWS\keehnkwp\net.png
C:\WINDOWS\keehnkwp\pc-mag.gif
C:\WINDOWS\keehnkwp\pc.gif
C:\WINDOWS\keehnkwp\poloska1.png
C:\WINDOWS\keehnkwp\poloska2.png
C:\WINDOWS\keehnkwp\poloska3.png
C:\WINDOWS\keehnkwp\promo1.html
C:\WINDOWS\keehnkwp\promo10.html
C:\WINDOWS\keehnkwp\promo11.html
C:\WINDOWS\keehnkwp\promo12.html
C:\WINDOWS\keehnkwp\promo13.html
C:\WINDOWS\keehnkwp\promo14.html
C:\WINDOWS\keehnkwp\promo15.html
C:\WINDOWS\keehnkwp\promo16.html
C:\WINDOWS\keehnkwp\promo17.html
C:\WINDOWS\keehnkwp\promo18.html
C:\WINDOWS\keehnkwp\promo2.html
C:\WINDOWS\keehnkwp\promo3.html
C:\WINDOWS\keehnkwp\promo4.html
C:\WINDOWS\keehnkwp\promo5.html
C:\WINDOWS\keehnkwp\promo6.html
C:\WINDOWS\keehnkwp\promo7.html
C:\WINDOWS\keehnkwp\promo8.html
C:\WINDOWS\keehnkwp\promo9.html
C:\WINDOWS\keehnkwp\reg.png
C:\WINDOWS\keehnkwp\repair.png
C:\WINDOWS\keehnkwp\scr-1.png
C:\WINDOWS\keehnkwp\scr-2.png
C:\WINDOWS\keehnkwp\start.png
C:\WINDOWS\keehnkwp\styles.css
C:\WINDOWS\keehnkwp\top-rc.gif
C:\WINDOWS\keehnkwp\vline.gif
C:\WINDOWS\keehnkwp\wp.png
C:\WINDOWS\ovubwnkz.dll
C:\WINDOWS\wrqzmpqz.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 19:15 . 2007-12-03 22:51 <DIR> d-------- C:\Documents and Settings\Megan Mari\.housecall6.6
2007-12-02 15:49 . 2007-12-02 15:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 10:26 . 2007-12-02 10:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-02 10:26 . 2007-12-02 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-02 02:12 . 2007-12-02 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 01:05 . 2007-12-02 01:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 19:09 . 2007-12-01 19:10 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-12-01 19:09 . 2007-12-01 19:09 <DIR> d-------- C:\WINDOWS\PeMon
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpF8215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpDD215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpDB215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpCF215.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpB2315.FOT
2007-11-29 21:38 . 2007-11-29 21:38 1,409 --a------ C:\WINDOWS\system32\tmpA4315.FOT
2007-11-28 23:35 . 2007-11-29 22:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-27 21:47 . 1997-02-24 10:38 455,168 --a------ C:\WINDOWS\system32\redllw32.dll
2007-11-27 21:47 . 1997-02-24 10:27 240,128 --a------ C:\WINDOWS\system32\PDDLLW32.DLL
2007-11-27 21:47 . 2007-11-27 21:47 33,803 --a------ C:\WINDOWS\DeIsL1.isu
2007-11-17 22:59 . 2007-12-01 19:28 <DIR> d-------- C:\Program Files\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 06:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-12-02 07:56 --------- d-----w C:\Program Files\Google
2007-11-18 21:07 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-18 21:04 --------- d-----w C:\Documents and Settings\Megan Mari\Application Data\AdobeUM
2007-10-18 02:41 --------- d-----w C:\Program Files\Java
1998-08-24 18:09 10,000 -c--a-w C:\WINDOWS\inf\unregpn.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"EPSON Stylus COLOR 580"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.exe" [2001-09-13 13:53]
"Yahoo! Pager"="G:\PROGRA~1\YAHOOM~1\YAHOOM~1.exe" [2007-08-30 17:43]
"Creative Detector"="G:\Zen Micro\Detector\CTDetect.exe" [2004-12-02 18:23]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 01:34 C:\WINDOWS\SOUNDMAN.EXE]
"AlcFDMonitor"="C:\WINDOWS\ALCFDRTM.EXE" [2004-01-26 20:04]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 01:00]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-02 22:30]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02]
"Adobe Reader Speed Launcher"="G:\AdobeReader8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56]

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys
R0 si3112;SiI-3112 SATALink Controller;C:\WINDOWS\system32\drivers\si3112.sys
R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 17:38:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 17:39:50 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-04 09:26
.
--- E O F ---

New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:30 PM, on 04/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\adaware2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
G:\Zen Micro\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\Integrator.exe
G:\PROGRA~1\YAHOOM~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\MEGAN MARI\Application Data\Mozilla\Profiles\default\qwwvc1at.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://g%3A%5Cnetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\MEGAN MARI\Application Data\Mozilla\Profiles\default\qwwvc1at.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\AdobeReader8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus COLOR 580] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P22 "EPSON Stylus COLOR 580" /O6 "USB001" /M "Stylus COLOR 580"
O4 - HKCU\..\Run: [Yahoo! Pager] "G:\PROGRA~1\YAHOOM~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Creative Detector] G:\Zen Micro\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O8 - Extra context menu item: &Yahoo! Search - file:///G:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///G:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///G:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///G:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - G:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - G:\EmpirePoker\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - G:\EmpirePoker\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab53083.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab53083.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/bingame/zpagames...n.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab53852.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O22 - SharedTaskScheduler: WaitWain for Windows - {C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\adaware2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

--
End of file - 10031 bytes

**pleasehelp25** · 2007-12-05, 05:52

By the by...

My computer seems to be running much better now. I no longer receive 5 popup windows regarding files (which i am sure were virus related) not working when i start windows, i am not receiving fake windows security notifcations popups from my toolbar, the internet is now loading pages properly rather then failing to load pages until after i have tried a couple times, and the computer is much faster to boot up!

Rest assured that i will follow all further instructions you give me, i just wanted to share my excitement!

Thread: Problems with zlob.DNSChanger and Zlock.uc

Thread Tools

Display

Problems with zlob.DNSChanger and Zlock.uc

Posting Permissions