Zlob trouble. VirusHeat - Safer-Networking Forums

Mick1970 · 2008-02-13, 08:29

Icon on my task bar says sends me to bogus antispyware site called VirusHeat. I'm new at this can you help?
Ran Spybot it took out most of it but got a "Failed to load C:\program Files\spybot-Search_Destroy\DelZip179.dll
and
Unexpected Error in fixing Problems (out of Memory)
File that it got stuck on was SBI $9D72FC95)Data C:Program Files\Video Add-on\ot.ico I couldn't read my own handwritting so I am unsure if the SVI file ends with FC95) or F(C95)
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 12, 2008 9:28:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/02/2008
Kaspersky Anti-Virus database records: 560524
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 132057
Number of viruses found: 10
Number of infected objects: 13
Number of suspicious objects: 2
Duration of the scan process: 02:30:40
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{CE34CBCB-5D99-49E7-80E0-59F745CCC482}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d2b05364ca7ef75c09979db2df11c104_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip/laf1.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Jimmy Mick\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Jimmy Mick\Local Settings\Application Data\ApplicationHistory\Spiralfrog.exe.6f996b7a.ini.inuse Object is locked skipped
C:\Documents and Settings\Jimmy Mick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jimmy Mick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jimmy Mick\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Jimmy Mick\Local Settings\Temp\~DFE423.tmp Object is locked skipped
C:\Documents and Settings\Jimmy Mick\Local Settings\Temp\~DFE448.tmp Object is locked skipped
C:\Documents and Settings\Jimmy Mick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy Mick\ntuser.dat Object is locked skipped
C:\Documents and Settings\Jimmy Mick\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Helper\1202562179.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped
C:\Program Files\Sotfone\1202562183.dll Infected: not-a-virus:AdWare.Win32.BHO.zc skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056832.dll Infected: Trojan-Downloader.Win32.Zlob.hkz skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056843.exe Infected: not-virus:Hoax.Win32.Renos.avf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056846.exe Infected: Trojan-Downloader.Win32.Zlob.hlb skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056847.exe Infected: Trojan-Downloader.Win32.Zlob.hlq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056854.EXE Infected: not-a-virus:AdWare.Win32.Background skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057410.exe Infected: not-a-virus:FraudTool.Win32.SpyHeal.i skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057862.exe Infected: not-virus:Hoax.Win32.Renos.avf skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057865.exe Infected: Trojan-Downloader.Win32.Zlob.hlb skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057866.dll Infected: Trojan-Downloader.Win32.Zlob.hkz skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057867.exe Infected: Trojan-Downloader.Win32.Zlob.hlq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP298\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wuuawkz.dll Infected: Trojan-Downloader.Win32.Bojo.ai skipped
C:\WINDOWS\Temp\mcafee_ecpAdaBwGLXZxqT Object is locked skipped
C:\WINDOWS\Temp\mcmsc_77L2ccFbxphjYSa Object is locked skipped
C:\WINDOWS\Temp\mcmsc_esbIl42Jt8qAN6u Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

I ran out of room and will post Hijackthis long on next page.

Mick1970 · 2008-02-13, 08:31

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:27 AM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpiralFrog\Spiralfrog.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O1 - Hosts file is located at: C:\WINDOWS\help\hosts
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Sotfone Tracker Class - {10C52A42-DB8B-4ade-AA4A-CED6A8282B67} - C:\Program Files\Sotfone\1202562183.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B862223} - C:\Program Files\Helper\1202562179.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL
O3 - Toolbar: IE Custom Tools - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186908422609
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/...ionControl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
O22 - SharedTaskScheduler: didact - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\wuuawkz.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
End of file - 15066 bytes

**ken545** · 2008-02-16, 12:11

Hello Mick1970

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Your infected with the Zlob family of trojans, look at the entries I am going to have you remove with HJT....babenet is where you most likely got hit.

Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

F3 - REG:win.ini: load=
F3 - REG:win.ini: run=

O2 - BHO: Sotfone Tracker Class - {10C52A42-DB8B-4ade-AA4A-CED6A8282B67} - C:\Program Files\Sotfone\1202562183.dll
O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B862223} - C:\Program Files\Helper\1202562179.dll

O3 - Toolbar: IE Custom Tools - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)
09 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing)

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

O22 - SharedTaskScheduler: didact - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\wuuawkz.dll

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Download and install AVG Anti-Spyware Free to your desktop.

Once you have downloaded AVG Anti-Spyware Free , locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close AVG Anti-Spyware Free <-- Do not run the scan yet.

Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
make sure to remember where you saved that file, this is important
Close AVG Anti-Spyware Free

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:

Reboot normally.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Download the HostsXpert 4.2.0.0. - Hosts File Manager.

Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please

Mick1970 · 2008-02-17, 16:48

Icon is still there, must have mutated or something here are my logs.

**ken545** · 2008-02-17, 17:00

Your HJT log looks fine, did you move your hosts file??
O1 - Hosts file is located at: C:\WINDOWS\help\hosts

Please download SuperAntiSpyware
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

Mick1970 · 2008-02-18, 07:45

I think it has been taken care of. I may want you to explain the host file thing for me again. I didn't understand the part where you said to create a file such as c:\hostsXpert. What I did was create it and placed it on my desktop and ran it from there is that ok? Otherwise It looks like the pop-ups are gone. Thank you thank you thank you!!!
Here are my Logs.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2008 at 00:04 AM

Application Version : 3.9.1008

Core Rules Database Version : 3404
Trace Rules Database Version: 1396

Scan type : Complete Scan
Total Scan Time : 01:20:37

Memory items scanned : 413
Memory threats detected : 0
Registry items scanned : 7129
Registry threats detected : 6
File items scanned : 58108
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@specificclick[2].txt
C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@e-2dj6wjl4kiczedo.stats.esomniture[2].txt
C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@adopt.specificclick[1].txt
C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@ad.yieldmanager[3].txt
C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@ad.yieldmanager[2].txt
C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@specificclick[1].txt

Adware.WhenU
HKCR\WUSN.1
HKCR\WUSN.1#WUSN_Id

Trojan.DNSChanger-Codec
HKCR\CLSID\E404.e404mgr
HKCR\CLSID\E404.e404mgr#UserId

Adware.E404 Helper/Tracker
HKCR\CLSID\Tracker.TrackerObj
HKCR\CLSID\Tracker.TrackerObj#UserId

Trojan.Media-Codec/V4
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056844.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057863.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP298\A0058075.DLL
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:36:20 AM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SpiralFrog\Spiralfrog.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts file is located at: C:\WINDOWS\help\hosts
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186908422609
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/...ionControl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

--
End of file - 11947 bytes

**ken545** · 2008-02-18, 11:30

Good Morning Mick,

This is where your hosts file belongs
C\Windows\system32\drivers\etc<-- Take a peek and make sure the hosts files are present, I will explain this to you in my next post. Let me know if they are not present.

This is where it has been moved most likely by malware
C:\Windows\Help\hosts

Then run Hosts eXpert to get it back to normal

Did you set this??
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com

Failed to load C:\program Files\spybot-Search_Destroy\DelZip179.dll <-- Are you still getting this error? If so upgrading to Spybot Search and Destroy version 1.5.2 will fix it
http://www.safer-networking.org/en/download/index.html

**ken545** · 2008-02-18, 18:54

Mick,

C:\Windows\Help\hosts <-- Right click on this and open with Notepad and copy and paste the entire log into this thread.

C\Windows\system32\drivers\etc<-- Take a peek inside etc and make sure the hosts files are present, I will explain this to you in my next post. Let me know if they are not present.

Mick1970 · 2008-02-19, 05:47

Bear with me, I will do as you instruct tomorrow night as I will be in hospital tonight with my daughter. (observation)

**ken545** · 2008-02-19, 10:38

Not a problem Mick, hope things are well. Take all the time you need.

Ken

2008-02-13, 08:29	#1
Mick1970 Junior Member Join Date: Feb 2008 Location: Wis Posts: 25	Zlob trouble. VirusHeat Icon on my task bar says sends me to bogus antispyware site called VirusHeat. I'm new at this can you help? Ran Spybot it took out most of it but got a "Failed to load C:\program Files\spybot-Search_Destroy\DelZip179.dll and Unexpected Error in fixing Problems (out of Memory) File that it got stuck on was SBI $9D72FC95)Data C:Program Files\Video Add-on\ot.ico I couldn't read my own handwritting so I am unsure if the SVI file ends with FC95) or F(C95) KASPERSKY ONLINE SCANNER REPORT Tuesday, February 12, 2008 9:28:31 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 12/02/2008 Kaspersky Anti-Virus database records: 560524 Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 132057 Number of viruses found: 10 Number of infected objects: 13 Number of suspicious objects: 2 Duration of the scan process: 02:30:40 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{CE34CBCB-5D99-49E7-80E0-59F745CCC482}.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d2b05364ca7ef75c09979db2df11c104_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip/laf1.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinRenos.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\Jimmy Mick\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\Jimmy Mick\Local Settings\Application Data\ApplicationHistory\Spiralfrog.exe.6f996b7a.ini.inuse Object is locked skipped C:\Documents and Settings\Jimmy Mick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jimmy Mick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jimmy Mick\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Jimmy Mick\Local Settings\Temp\~DFE423.tmp Object is locked skipped C:\Documents and Settings\Jimmy Mick\Local Settings\Temp\~DFE448.tmp Object is locked skipped C:\Documents and Settings\Jimmy Mick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jimmy Mick\ntuser.dat Object is locked skipped C:\Documents and Settings\Jimmy Mick\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Helper\1202562179.dll Infected: not-a-virus:AdWare.Win32.E404.f skipped C:\Program Files\Sotfone\1202562183.dll Infected: not-a-virus:AdWare.Win32.BHO.zc skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056832.dll Infected: Trojan-Downloader.Win32.Zlob.hkz skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056843.exe Infected: not-virus:Hoax.Win32.Renos.avf skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056846.exe Infected: Trojan-Downloader.Win32.Zlob.hlb skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056847.exe Infected: Trojan-Downloader.Win32.Zlob.hlq skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056854.EXE Infected: not-a-virus:AdWare.Win32.Background skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057410.exe Infected: not-a-virus:FraudTool.Win32.SpyHeal.i skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057862.exe Infected: not-virus:Hoax.Win32.Renos.avf skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057865.exe Infected: Trojan-Downloader.Win32.Zlob.hlb skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057866.dll Infected: Trojan-Downloader.Win32.Zlob.hkz skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057867.exe Infected: Trojan-Downloader.Win32.Zlob.hlq skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP298\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\wuuawkz.dll Infected: Trojan-Downloader.Win32.Bojo.ai skipped C:\WINDOWS\Temp\mcafee_ecpAdaBwGLXZxqT Object is locked skipped C:\WINDOWS\Temp\mcmsc_77L2ccFbxphjYSa Object is locked skipped C:\WINDOWS\Temp\mcmsc_esbIl42Jt8qAN6u Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. I ran out of room and will post Hijackthis long on next page.

2008-02-17, 17:00	#5
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Your HJT log looks fine, did you move your hosts file?? O1 - Hosts file is located at: C:\WINDOWS\help\hosts Please download SuperAntiSpyware Install the program Run SuperAntiSpyware and click: Check for updates Once the update is finished, on the main screen, click: Scan your computer Check: Perform Complete Scan Click Next to start the scan. Superantispyware scans the computer, and when finished, lists all the infections found. Make sure everything found has a check next to it, and press: Next Then, click Finish It is possible that the program asks to reboot in order to delete some files. Obtain the SuperAntiSpyware log as follows: Click: Preferences Click the Statistics/Logs tab Under Scanner Logs, double-click SuperAntiSpyware Scan Log It opens in your default text editor (such as Notepad) Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log. __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

2008-02-18, 07:45	#6
Mick1970 Junior Member Join Date: Feb 2008 Location: Wis Posts: 25	I think its gone. I think it has been taken care of. I may want you to explain the host file thing for me again. I didn't understand the part where you said to create a file such as c:\hostsXpert. What I did was create it and placed it on my desktop and ran it from there is that ok? Otherwise It looks like the pop-ups are gone. Thank you thank you thank you!!! Here are my Logs. SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 02/18/2008 at 00:04 AM Application Version : 3.9.1008 Core Rules Database Version : 3404 Trace Rules Database Version: 1396 Scan type : Complete Scan Total Scan Time : 01:20:37 Memory items scanned : 413 Memory threats detected : 0 Registry items scanned : 7129 Registry threats detected : 6 File items scanned : 58108 File threats detected : 10 Adware.Tracking Cookie C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@specificclick[2].txt C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@e-2dj6wjl4kiczedo.stats.esomniture[2].txt C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@adopt.specificclick[1].txt C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@ad.yieldmanager[3].txt C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@ad.yieldmanager[2].txt C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@msnportal.112.2o7[1].txt C:\Documents and Settings\Jimmy Mick\Cookies\jimmy_mick@specificclick[1].txt Adware.WhenU HKCR\WUSN.1 HKCR\WUSN.1#WUSN_Id Trojan.DNSChanger-Codec HKCR\CLSID\E404.e404mgr HKCR\CLSID\E404.e404mgr#UserId Adware.E404 Helper/Tracker HKCR\CLSID\Tracker.TrackerObj HKCR\CLSID\Tracker.TrackerObj#UserId Trojan.Media-Codec/V4 C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0056844.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP295\A0057863.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP298\A0058075.DLL Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:36:20 AM, on 2/18/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\SpiralFrog\Spiralfrog.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\SYSTEM32\tbctray.exe C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O1 - Hosts file is located at: C:\WINDOWS\help\hosts O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file) O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186908422609 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/...ionControl.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- End of file - 11947 bytes

2008-02-18, 11:30	#7
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Good Morning Mick, This is where your hosts file belongs C\Windows\system32\drivers\etc<-- Take a peek and make sure the hosts files are present, I will explain this to you in my next post. Let me know if they are not present. This is where it has been moved most likely by malware C:\Windows\Help\hosts Then run Hosts eXpert to get it back to normal Did you set this?? O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com Failed to load C:\program Files\spybot-Search_Destroy\DelZip179.dll <-- Are you still getting this error? If so upgrading to Spybot Search and Destroy version 1.5.2 will fix it http://www.safer-networking.org/en/download/index.html __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue Last edited by ken545; 2008-02-18 at 13:25.

2008-02-18, 18:54	#8
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Mick, C:\Windows\Help\hosts <-- Right click on this and open with Notepad and copy and paste the entire log into this thread. C\Windows\system32\drivers\etc<-- Take a peek inside etc and make sure the hosts files are present, I will explain this to you in my next post. Let me know if they are not present. __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

2008-02-13, 08:31	#2
Mick1970 Junior Member Join Date: Feb 2008 Location: Wis Posts: 25	Logfile for hijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:52:27 AM, on 2/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\BCMSMMSG.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SpiralFrog\Spiralfrog.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\SYSTEM32\tbctray.exe C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll F3 - REG:win.ini: load= F3 - REG:win.ini: run= O1 - Hosts file is located at: C:\WINDOWS\help\hosts O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O2 - BHO: Sotfone Tracker Class - {10C52A42-DB8B-4ade-AA4A-CED6A8282B67} - C:\Program Files\Sotfone\1202562183.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - (no file) O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B862223} - C:\Program Files\Helper\1202562179.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: YELLOWPAGES.com Toolbar - {4E7BD74F-2B8D-469E-85A6-FD7CA39AB631} - C:\PROGRA~1\YELLOW~1\YELLOW~1.DLL O3 - Toolbar: IE Custom Tools - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\Video Add-on\ictmdl.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe O4 - HKCU\..\Run: [Road Runner PhotoShow Media Manager] C:\PROGRA~1\ROADRU~1\ROADRU~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~2\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing) O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186908422609 O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/...ionControl.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38 O22 - SharedTaskScheduler: didact - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\wuuawkz.dll O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe End of file - 15066 bytes

2008-02-16, 12:11	#3
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Hello Mick1970 Welcome to Safer Networking. Please read Before YouPost That said, All advice given by anyone volunteering here, is taken at own risk. While best efforts are made to assist in removing infections safely, unexpected stuff can happen. Your infected with the Zlob family of trojans, look at the entries I am going to have you remove with HJT....babenet is where you most likely got hit. Disable the TeaTimer, you can re enable it when were done if you wish Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode" On the left hand side, Click on Tools Then click on the Resident Icon in the List Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer.<--You need to do this for it to take effect Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked. F3 - REG:win.ini: load= F3 - REG:win.ini: run= O2 - BHO: Sotfone Tracker Class - {10C52A42-DB8B-4ade-AA4A-CED6A8282B67} - C:\Program Files\Sotfone\1202562183.dll O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - (no file) O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-ABCD-7DD20B862223} - C:\Program Files\Helper\1202562179.dll O3 - Toolbar: IE Custom Tools - {81705D67-3F73-4983-859B-97D0922E5ABE} - C:\Program Files\Video Add-on\ictmdl.dll (file missing) O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing) 09 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.freeietool.com/redirect.php (file missing) O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O22 - SharedTaskScheduler: didact - {747e1fbe-b70f-441d-bbca-6e536c04924a} - C:\WINDOWS\system32\wuuawkz.dll You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Download SmitfraudFix Extract the content (a folder named SmitfraudFix) to your Desktop. Download and install AVG Anti-Spyware Free to your desktop. Once you have downloaded AVG Anti-Spyware Free , locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete you will need run Ewido and update the definition files. On the main screen select the icon Update then select the Update now link. Next select the Start Update button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab. Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this Under Reports Select Automatically generate report after every scan Un-Select Only if threats were found Close AVG Anti-Spyware Free <-- Do not run the scan yet. Boot your computer into Safemode Go to Start> Shut Off your Computer> Restart As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly. This will bring up a menu. Use the Up and Down Arrow Keys to scroll up to Safemode Then press the Enter on your Keyboard Tutorial if you need it How to boot into Safemode Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan. AVG will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select Apply all actions Next select the Reports icon at the top. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system make sure to remember where you saved that file, this is important Close AVG Anti-Spyware Free IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process: Reboot normally. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. Please download ATF Cleaner by Atribune to your desktop. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up Download the HostsXpert 4.2.0.0. - Hosts File Manager. Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home Click "Make Hosts Writable?" in the upper right corner (If available). Click Restore Microsoft's Hosts file and then click OK. Click the X to exit the program. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself. Post the log from Smitfraud fix, the AVG Spyware log and a New HJT log please __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

2008-02-19, 05:47	#9
Mick1970 Junior Member Join Date: Feb 2008 Location: Wis Posts: 25	Working Bear with me, I will do as you instruct tomorrow night as I will be in hospital tonight with my daughter. (observation)

2008-02-19, 10:38	#10
ken545 Security Expert Join Date: Nov 2005 Location: Darien, CT Posts: 8,297	Not a problem Mick, hope things are well. Take all the time you need. Ken __________________ Microsoft MVP Consumer Security 2007-2008-2009 ERROR MESSAGE 386 No KeyBoard Detected Press F1 To Continue

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode