New Malware/Hijack? Poss Zlob. - Safer-Networking Forums

Griffin175 · 2007-08-16, 01:01

Ok, here is the Synopsis:
Get message that windows has downloaded new updates that require reboot for changes to take effect. Seemed very legitamate. Once it rebooted I knew something was very wrong. The resolution on my monitor was horrible, and got a message in the icon tray saying that my settings had been changed click here to fix them....i never did. It would not allow me to change the settings manually. I immediatley ran SSD, I was perplexed when it gave me an Scan aborted by user message after only bout 30secs of scaning, b/c i never did abort the scan. Then ran a version of XoftSpy that picked up no threats. Once XoftSpy had finished its scan SSD then gave me a message on top of Scan Abort that it had finished and no threats were found.

. Then had SSD run a one time run at check at start up and rebooted. It ran and detected no threats but this time when i tried to open a web page just got an error report from Windows that it could not open Explorer. In frustration I went to bed.
Next day still have problems but internet now seems to work.
Ran Kaspersky and F-Secure as instructed reports below. Then when I rebooted windows didnt seem to go into safe mode, just asked me to select a operating system, ran spybot again with no threats deteced. Reboot then HJT. Any help would be apprecitated.

Logfile of HijackThis v1.99.1
Scan saved at 6:36:13 PM, on 8/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
D:\iTunesHelper.exe
D:\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\O1JD2IO9\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.c
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=040405 serial=WS12WTX-9999998-UYR lang=EN
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180/component/VZWDLManager.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag3606.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

Told me that post was too long so I have omitted Kaspersky and F-Secure report. Can follow up with if needed.
I hope that covers it.

pskelley · 2007-08-17, 12:45

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I am not sure if I can help you or not, but I am wiling to give it a try. First I need to tell you that HJT if showing nothing in the way of malware. I do see this: HJT needs a permanent folder to store HJT.exe, logs and backups for safety. You are running from a Temporary folder. I suggest going to your C:\ and RIGHT clicking on a blank spot then making a new folder called HJT. Move the HijackThis.exe into that folder. It will look like this: C:\HJT\HijackThis.exe.
If you need more instructions than than, use these:
http://russelltexas.com/malware/createhjtfolder.htm
http://www.bleepingcomputer.com/forums/tutorial94.html

Could you tell me why you believe it is Poss Zlob? Post any error message you are receiving "word for word"

Post the Kaspersky (NOT f-Secure unless I ask) and break it into however may posts you need to get it done, it may provide clues.

Because of the symptoms you describe, I fear the issue may not be malware. I would like to look at a free diagnostic report from here: http://www.pcpitstop.com/
Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
near the end of the tutorial are instructions for posting the link to the test results in bold red rpint.

Recap: Post and new information you think will help, any error messages you receive, a link to the test results from the diagnostic report and the Kaspersaky scan results.

Thanks

Griffin175 · 2007-08-18, 00:47

Ok i will do the best i can....IE keeps giving me error messages that say it needs to close so i get to start all over frquently. The PC pitstop site isnt exactly as described in the tutorial so i hope this link is the one you want.

http://www.pcpitstop.com/pcpitstop/S...conid=18457359

Ive put HJT in the D: drive since my C: drive is just about maxed out. That shouldnt be a prob should it?

FYI. Since my hard drive is about full I have tried to free up space by deleting programs. I dont know if this has any relavence but i deleted old versions of JAVA in the remove/uninstall option in windows since it was hoggin memory. I also compressed the C: drive in an attempt to free up drive space, and I think it freed up a whopping 0.5 GB. what a waste.

The reason that i thought it might be a Zlob is that this problem occured right after...and i will say it unlike most that post here...visiting "adult" web sites. After reading the post by tashi about what Zlobs are and how they infect, it was just my "gut" feeling.

When I boot up and it goes to the desk top there is a icon that appears in the task bar tray that says the following:
Display Settings
Your computer screen resolution and color depth are currently set at a very low level. You can get a better picture by increasing these settings. To do this, click this ballon.
I never have clicked that balloon. Once you open some program it goes away. Im just nervous about it after a run in with SpySherrif about 4 years ago with similar characteristics as this problem im having now.

Also keep getting errors from IE and it keeps closing and wanting to send error reports. I have never had this problem before. It happened 5 times while trying to do PCPitstop. If there is any information that you need from these error messages and can post it.

Griffin175 · 2007-08-18, 00:49

Kaspersky Report.

I ran Kaspersky first then ran F-Secure that removed a few items. I dont know if it removed anything that Kaspersky turned up.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 15, 2007 12:11:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 15/08/2007
Kaspersky Anti-Virus database records: 381350
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 99152
Number of viruses found: 9
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 02:14:40

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\47485a30311d2bb7295d893464c8790e_e9165ebb-4906-446e-b11d-a2e00e860f2c Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak skipped
C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip/VB.class Infected: Trojan.Java.ClassLoader.ak skipped
C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132 ZIP: infected - 3 skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Josh\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Josh\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Josh\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\csnoh.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\WINDOWS\system32\dmmps.exe Infected: Trojan.Win32.Small.fb skipped
C:\WINDOWS\system32\dmzxy.exe Infected: Trojan.Win32.Small.fb skipped
C:\WINDOWS\system32\drivers\etc\hosts.20040417-212112.backup Infected: not-a-virus:AdWare.Win32.XmlMimeFilter.a skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\HJT\backups\backup-20060212-190751-164.dll Infected: not-a-virus:AdWare.Win32.Coupons.h skipped
D:\Program Files\Monopoly3-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
D:\Program Files\Monopoly3Setup-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

Scan process completed.

pskelley · 2007-08-18, 00:52

That link is not to your test results, click it to see. Please follow the instructions in the tutorial. Click the link yourself first to make sure it shows the test results.

Thanks

This is NOT your information but this is what the correct link will show me:
http://www.pcpitstop.com/pcpitstop/S...RCHWQXT8VS6H6V

pskelley · 2007-08-18, 01:32

I can see some of your problems in the Kaspersky scan, you have an infected Java cache which you can clean with this information:
http://support.f-secure.com/enu/home...avacache.shtml

I believe you have an infected hosts file, please post ti so I can see:
Start -> Run -> Copy the following to the box and hit enter:
C:\WINDOWS\System32\drivers\etc\HOSTS
A window opens, choose Notepad from the list and hit OK.
A notepad document opens, copy the contents to here

C:\WINDOWS\system32\csnoh.exe <<< delete
C:\WINDOWS\system32\dmmps.exe <<< delete
C:\WINDOWS\system32\dmzxy.exe <<< delete
D:\HJT\backups\backup-20060212-190751-164.dll <<< delete that backup in HJT
D:\Program Files\Monopoly3-dm.exe <<< delete that file, it is infected
D:\Program Files\Monopoly3Setup-dm.exe <<< delete that file, it is infected

Right click on MyComputer, then click on Properties. In the lower right hand corner of the System Properties Window will be the amount of RAM you have installed, post that information.

Thanks

Griffin175 · 2007-08-18, 02:20

the tutorial wasnt like the actual website so I did my best

http://pcpitstop.com/pcpitstop/Summa...conid=18457359

thats the link that is saved under my history in PCPitstop?

and it matches what i see after clicking the link, so now what?

I manually deleted all files and folders in the :

C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\

Host file Results:
127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

127.0.0.1 localhost

I deleted the files that you asked me to although they were listed as *.0xe.

As for the Monopoly3-dm.exe and the Monopoly3Setup-dm.exe it wont let me delete them.

It gives me this message:

Error deleting file or folder
X cannot delte "file name": It is being used by another person or program. Close any programs that might be using the file and try again.

I have tried to delete these files before with the same results.

760 MB or RAM.

pskelley · 2007-08-18, 03:00

You might want to run the scan again, this is what you are posting for me:
http://pcpitstop.com/pcpitstop/defau...ason=not_owner
Understand if you don't register for the free tests, you can not save the test results, the one I need to see will look similiar to this one:
http://www.pcpitstop.com/pcpitstop/S...RCHWQXT8VS6H6V <<< click on this link and look

Quote:

As for the Monopoly3-dm.exe and the Monopoly3Setup-dm.exe it wont let me delete them.

Boot into safe mode and delete them there:
http://spyware-free.us/tutorials/safemode/ <<< tutorial

That is probably enough ram, no excess of it though.

Once you post that link, then run combofix to see what it finds, please follow the directions:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

Griffin175 · 2007-08-18, 03:40

Ok, I understand what your looking for, I guess I just dont know how to give it to you. When I am looking at the page that you describe I copy the address in the IE address bar and paste it.

This link here gives me the exact screen your looking for: http://pcpitstop.com/pcpitstop/Summa...conid=18457359

Exactly how do you register for free tests? This should be easier than I am making it.

http://pcpitstop.com/pcpitstop/summary.asp

When I try to run the Test I get this error message at the start:

16 bit MS-DOS Subsystem
C:\WINDOWS\system32\pcbios.exe
C:PROGRA~|Symantec|S32EVNT!.DLL An installable Virtual Device Driver failed Dll initialization
Choose 'Close' to terminate the application

as well as a Windows Security Alert window asking me wether or not i want to unblock or keep blocking IE

the test seems to proceed as it should tho.

http://pcpitstop.com/pcpitstop/Summary.asp

I can manually post the results if you want.

Since I cant post the link you want I will wait to run the ComboFix.

Griffin175 · 2007-08-18, 03:53

Even in safe mode i cannot delete the Monopoly files...it gives me the exact error message as before.

2007-08-16, 01:01	#1
Griffin175 Junior Member Join Date: Feb 2006 Location: GA, USA Posts: 18	New Malware/Hijack? Poss Zlob. Ok, here is the Synopsis: Get message that windows has downloaded new updates that require reboot for changes to take effect. Seemed very legitamate. Once it rebooted I knew something was very wrong. The resolution on my monitor was horrible, and got a message in the icon tray saying that my settings had been changed click here to fix them....i never did. It would not allow me to change the settings manually. I immediatley ran SSD, I was perplexed when it gave me an Scan aborted by user message after only bout 30secs of scaning, b/c i never did abort the scan. Then ran a version of XoftSpy that picked up no threats. Once XoftSpy had finished its scan SSD then gave me a message on top of Scan Abort that it had finished and no threats were found. . Then had SSD run a one time run at check at start up and rebooted. It ran and detected no threats but this time when i tried to open a web page just got an error report from Windows that it could not open Explorer. In frustration I went to bed. Next day still have problems but internet now seems to work. Ran Kaspersky and F-Secure as instructed reports below. Then when I rebooted windows didnt seem to go into safe mode, just asked me to select a operating system, ran spybot again with no threats deteced. Reboot then HJT. Any help would be apprecitated. Logfile of HijackThis v1.99.1 Scan saved at 6:36:13 PM, on 8/15/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bgsvcgen.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE D:\iTunesHelper.exe D:\Picasa2\PicasaMediaDetector.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\O1JD2IO9\HijackThis[1].exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.c F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=040405 serial=WS12WTX-9999998-UYR lang=EN O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe" O4 - HKLM\..\Run: [Picasa Media Detector] D:\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180/component/VZWDLManager.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {712362BF-E411-4F43-99D2-EB15F80AF1DB} (MsneDiag Class) - http://entimg.msn.com/client/msnediag3606.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames...l.cab55579.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing) O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing) O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing) O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe Told me that post was too long so I have omitted Kaspersky and F-Secure report. Can follow up with if needed. I hope that covers it.

2007-08-17, 12:45	#2
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288 All advice given is taken at your own risk. Please make sure you have read this information so we are on the same page. I am not sure if I can help you or not, but I am wiling to give it a try. First I need to tell you that HJT if showing nothing in the way of malware. I do see this: HJT needs a permanent folder to store HJT.exe, logs and backups for safety. You are running from a Temporary folder. I suggest going to your C:\ and RIGHT clicking on a blank spot then making a new folder called HJT. Move the HijackThis.exe into that folder. It will look like this: C:\HJT\HijackThis.exe. If you need more instructions than than, use these: http://russelltexas.com/malware/createhjtfolder.htm http://www.bleepingcomputer.com/forums/tutorial94.html Could you tell me why you believe it is Poss Zlob? Post any error message you are receiving "word for word" Post the Kaspersky (NOT f-Secure unless I ask) and break it into however may posts you need to get it done, it may provide clues. Because of the symptoms you describe, I fear the issue may not be malware. I would like to look at a free diagnostic report from here: http://www.pcpitstop.com/ Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp near the end of the tutorial are instructions for posting the link to the test results in bold red rpint. Recap: Post and new information you think will help, any error messages you receive, a link to the test results from the diagnostic report and the Kaspersaky scan results. Thanks __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006

2007-08-18, 00:52	#5
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	That link is not to your test results, click it to see. Please follow the instructions in the tutorial. Click the link yourself first to make sure it shows the test results. Thanks This is NOT your information but this is what the correct link will show me: http://www.pcpitstop.com/pcpitstop/S...RCHWQXT8VS6H6V __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006 Last edited by pskelley; 2007-08-18 at 01:29. Reason: post additional infomation.

2007-08-18, 01:32	#6
pskelley In Memoriam -Always in our heart Join Date: Oct 2005 Location: Clearwater, Florida Posts: 20,558	I can see some of your problems in the Kaspersky scan, you have an infected Java cache which you can clean with this information: http://support.f-secure.com/enu/home...avacache.shtml I believe you have an infected hosts file, please post ti so I can see: Start -> Run -> Copy the following to the box and hit enter: C:\WINDOWS\System32\drivers\etc\HOSTS A window opens, choose Notepad from the list and hit OK. A notepad document opens, copy the contents to here C:\WINDOWS\system32\csnoh.exe <<< delete C:\WINDOWS\system32\dmmps.exe <<< delete C:\WINDOWS\system32\dmzxy.exe <<< delete D:\HJT\backups\backup-20060212-190751-164.dll <<< delete that backup in HJT D:\Program Files\Monopoly3-dm.exe <<< delete that file, it is infected D:\Program Files\Monopoly3Setup-dm.exe <<< delete that file, it is infected Right click on MyComputer, then click on Properties. In the lower right hand corner of the System Properties Window will be the amount of RAM you have installed, post that information. Thanks __________________ MS-MVP Consumer Security 2007-08-09 Proud Member ASAP UNITE Member 2006

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

2007-08-18, 00:47	#3
Griffin175 Junior Member Join Date: Feb 2006 Location: GA, USA Posts: 18	Ok i will do the best i can....IE keeps giving me error messages that say it needs to close so i get to start all over frquently. The PC pitstop site isnt exactly as described in the tutorial so i hope this link is the one you want. http://www.pcpitstop.com/pcpitstop/S...conid=18457359 Ive put HJT in the D: drive since my C: drive is just about maxed out. That shouldnt be a prob should it? FYI. Since my hard drive is about full I have tried to free up space by deleting programs. I dont know if this has any relavence but i deleted old versions of JAVA in the remove/uninstall option in windows since it was hoggin memory. I also compressed the C: drive in an attempt to free up drive space, and I think it freed up a whopping 0.5 GB. what a waste. The reason that i thought it might be a Zlob is that this problem occured right after...and i will say it unlike most that post here...visiting "adult" web sites. After reading the post by tashi about what Zlobs are and how they infect, it was just my "gut" feeling. When I boot up and it goes to the desk top there is a icon that appears in the task bar tray that says the following: Display Settings Your computer screen resolution and color depth are currently set at a very low level. You can get a better picture by increasing these settings. To do this, click this ballon. I never have clicked that balloon. Once you open some program it goes away. Im just nervous about it after a run in with SpySherrif about 4 years ago with similar characteristics as this problem im having now. Also keep getting errors from IE and it keeps closing and wanting to send error reports. I have never had this problem before. It happened 5 times while trying to do PCPitstop. If there is any information that you need from these error messages and can post it.

2007-08-18, 00:49	#4
Griffin175 Junior Member Join Date: Feb 2006 Location: GA, USA Posts: 18	Kaspersky Report. I ran Kaspersky first then ran F-Secure that removed a few items. I dont know if it removed anything that Kaspersky turned up. ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, August 15, 2007 12:11:01 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 15/08/2007 Kaspersky Anti-Virus database records: 381350 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 99152 Number of viruses found: 9 Number of infected objects: 19 Number of suspicious objects: 0 Duration of the scan process: 02:14:40 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\47485a30311d2bb7295d893464c8790e_e9165ebb-4906-446e-b11d-a2e00e860f2c Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak skipped C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip/VB.class Infected: Trojan.Java.ClassLoader.ak skipped C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah skipped C:\Documents and Settings\Josh\.jpi_cache\jar\1.0\archive1213.jar-21748203-1a4e503d.zip ZIP: infected - 3 skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132/Counter.class Infected: Trojan.Java.ClassLoader.i skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-5facb132 ZIP: infected - 3 skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip/Counter.class Infected: Trojan.Java.ClassLoader.i skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped C:\Documents and Settings\Josh\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-44f46a27-6729d970.zip ZIP: infected - 3 skipped C:\Documents and Settings\Josh\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Josh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Josh\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Josh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Josh\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Josh\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\csnoh.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped C:\WINDOWS\system32\dmmps.exe Infected: Trojan.Win32.Small.fb skipped C:\WINDOWS\system32\dmzxy.exe Infected: Trojan.Win32.Small.fb skipped C:\WINDOWS\system32\drivers\etc\hosts.20040417-212112.backup Infected: not-a-virus:AdWare.Win32.XmlMimeFilter.a skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\HJT\backups\backup-20060212-190751-164.dll Infected: not-a-virus:AdWare.Win32.Coupons.h skipped D:\Program Files\Monopoly3-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped D:\Program Files\Monopoly3Setup-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped Scan process completed.

2007-08-18, 02:20	#7
Griffin175 Junior Member Join Date: Feb 2006 Location: GA, USA Posts: 18	the tutorial wasnt like the actual website so I did my best http://pcpitstop.com/pcpitstop/Summa...conid=18457359 thats the link that is saved under my history in PCPitstop? and it matches what i see after clicking the link, so now what? I manually deleted all files and folders in the : C:\Documents and Settings\<user_name>\Application Data\Sun\Java\Deployment\cache\ Host file Results: 127.0.0.1 localhost # Start of entries inserted by Spybot - Search & Destroy # End of entries inserted by Spybot - Search & Destroy 127.0.0.1 localhost I deleted the files that you asked me to although they were listed as *.0xe. As for the Monopoly3-dm.exe and the Monopoly3Setup-dm.exe it wont let me delete them. It gives me this message: Error deleting file or folder X cannot delte "file name": It is being used by another person or program. Close any programs that might be using the file and try again. I have tried to delete these files before with the same results. 760 MB or RAM.

2007-08-18, 03:40	#9
Griffin175 Junior Member Join Date: Feb 2006 Location: GA, USA Posts: 18	Ok, I understand what your looking for, I guess I just dont know how to give it to you. When I am looking at the page that you describe I copy the address in the IE address bar and paste it. This link here gives me the exact screen your looking for: http://pcpitstop.com/pcpitstop/Summa...conid=18457359 Exactly how do you register for free tests? This should be easier than I am making it. http://pcpitstop.com/pcpitstop/summary.asp When I try to run the Test I get this error message at the start: 16 bit MS-DOS Subsystem C:\WINDOWS\system32\pcbios.exe C:PROGRA~\|Symantec\|S32EVNT!.DLL An installable Virtual Device Driver failed Dll initialization Choose 'Close' to terminate the application as well as a Windows Security Alert window asking me wether or not i want to unblock or keep blocking IE the test seems to proceed as it should tho. http://pcpitstop.com/pcpitstop/Summary.asp I can manually post the results if you want. Since I cant post the link you want I will wait to run the ComboFix.

2007-08-18, 03:53	#10
Griffin175 Junior Member Join Date: Feb 2006 Location: GA, USA Posts: 18	Even in safe mode i cannot delete the Monopoly files...it gives me the exact error message as before.