Hello. I would be very grateful for some advice. Having looked through some of the other threads I must say you guys are an amazingly helpful group.

A portion of the desktop icons on my computer have been renamed 666 with a number in brackets behind the 666. The icons themselves are unchanged, i.e. the recyle bin picture looks the same etc.

The arrangement is as below with (8) being the top left icon on the screen. Interestingly, the Internet Explorer icon is the one without a number which the numbers seem to be arranged around.

666 (8) 666 (13) 666 (18) 666 (3)

666 (9) 666 (14) 666 (19) 666 (4)

666 (10) 666 (15) 666 ( ) 666 (5)

666 (11) 666 (16) 666 (1) 666 (6)

666 (12) 666 (17) 666 (2) 666 (7)

The icons below and to the right of the renamed icons are unchanged.

I have McAfee running and regularly use SpyBot and Lavasoft AdAware. Since noticing the changed icon names I have run AVG Anti-Spyware 7.5, Kapersky on-line scan, SpySweeper and a-squared. These only found cookies and minor adware.

However, SpyNoMore and SpyHunter (are they reliable?) both found Zlob.trojan and NetNucleus under: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\
with Zlob being dvdaccess.net, MovieCodec.net, playercodec.net, Tvcodec.com, videosaccess.net and zcodec.com

I tried SmitfraudFix which didn't seem to find anything. If I had Zlob would SmitfraudFix, SpyBot etc not have found it? Any idea what might be causing the renamed 666 desktop icons? My internet and computer seem to be OK, but slow (maybe from all the anti spy software I have been using:)).

I am happy to post a HJT log as per your instructions if it is helpful.

Welcome to the forum, and I appreciate the feedback you have provided. I can not proceed however, without more information which will be provided if you will follow these instructions:

UPDATED WINDOWS - Your first line of defence, links and tips
http://forums.spybot.info/showthread.php?t=425

"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288

Use "Post Reply" to post the information in the instructions and stay in the same topic.

Thanks

Thanks for replying and for your time.

Something must have infected my computer to cause the desktop icons names to change to 666, but none of the scans find a problem.

I keep windows regularly updated, use McAfee as anti virus and regularly run updated Spybot and Lavasoft AdAware.

I have run an online scan with BitDefender which came back negative, in addition to the scans mentioned in my original post.

I realise that I probably have too many virus/spyware protections running at the moment.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 20:21:48, on 11/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.virgin.net/ie/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mbl.is/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.systemaxpc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mbl.is"); (C:\Documents and Settings\27 Darnell Road\Application Data\Mozilla\Profiles\default\a6k46ovo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\27 Darnell Road\Application Data\Mozilla\Profiles\default\a6k46ovo.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Download &All by FD - fdiectx2.htm
O8 - Extra context menu item: Download with &FD - fdiectx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software/instantsupport/tool/files/MotivePreQual.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Nothing showing in this HJT log. I have no idea what is causing this and have not encountered it before. Some of the names you mention sound like a Smitfraud infection. Let's do this for starters.

1) Look here, you may spot something that will help you:
http://www.onecomputerguy.com/desktop.htm

2) Click Start, and then click Control Panel.
Double-click Display, click the Desktop tab, and then click Customize Desktop. Select Restore Defaults

3) http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
If you still have this program, delete it and download the newest version before running it.

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

4) Use the instructions in this link, and post the scan results, you have the program, just run it as described in this link:
http://forums.security-central.us/showthread.php?t=3165
Post the scan results and the report from Smitfraudfix. Let me know if either of the first two helped, and add any information you think will help.

Thanks

Here is the SmitfraudFix log. I will run and post the AVG scan next.

What do you think of the SpyHunter and SpyNoMore positive results indicating a Zlob.trojan infection that I mentioned in my first post? Are they reliable and would the other scans not recognise Zlob? (which by the way does not seem to be in McAfee's database!)


SmitFraudFix v2.132

Scan done at 22:51:05.43, 11/01/2007
Run from C:\Documents and Settings\27 Darnell Road\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\27 Darnell Road


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\27 Darnell Road\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\27DARN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Here is the standard we check programs against if it helps:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Here is a review on Spyhunter, it is NOT on the rouge product list.
http://anti-spyware-review.toptenreviews.com/spyhunter-review.html

SpyNoMore used to be on the rouge list, but has been removed, so it is considered safe.
I do not use either of them so I can't tell you much more.

I have been searching Google for anyone else with this occuring and not finding anything. Can you tell me if this occured after you ran Smitfraud fix? and did you run the clean function? I am aware that Desktop problems can occur if it is run on a computer that does NOT have the infection.
The "Search" located none of the infection and since I use this tool for almost all Smitfraud infections, I would say either you removed it earlier with another tool or when you ran the fix earlier? That's if it was there?

Have you tried renaming these icons? Right click your mouse and choose rename, name them back to what they were and see what happens.


which by the way does not seem to be in McAfee's database!)Seems every Antivirus program like to use their own names for each infection. We who remove malware would like to see this standardized, but as long as big $$$ is involved, this is not likely to happen.
http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99
http://www.spywareremove.com/removeZlob.html
http://www.f-secure.com/v-descs/zlob_cy.shtml
http://www.spynomore.com/trojan-zlob.htm

Read the information posted at Safer here:
http://forums.spybot.info/showthread.php?t=4015

We generally call it Smitfraud because the attempt to extort $$ for useless spyware programs to remove an infection put there by the installer is surely fraud.
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=Smitfraud

I will wait for a look at the AVG scan and appreciate any feedback you have. If that scan is clean we can run a scan or two looking for a hidden rootkit infection. Would you mention any other symptoms besides the issue with the names of the Desktop icons.

Thanks

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 07:59:15 12/01/2007

+ Scan result:



:mozilla.19:C:\Documents and Settings\27 Darnell Road\Application Data\Mozilla\Profiles\default\a6k46ovo.slt\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.270:C:\Documents and Settings\27 Darnell Road\Application Data\Mozilla\Profiles\default\a6k46ovo.slt\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\27 Darnell Road\Cookies\27 darnell road@searchportal.information[2].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\27 Darnell Road\Cookies\27_darnell_road@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\27 Darnell Road\Cookies\27_darnell_road@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.


::Report end

Hi.

I ran SmitfraudFix after the icons had changed. The previous scan did not find anything, despite SpyHunter and SpyNoMore indicating Zlob. Are they likely to be false positives? They don't allow you to do anything with the scan results unless you pay them!

Interestingly, Spybot recognises SpyHunter as Malware.

I can rename the icons and I am not particularly worried about the icons themselves, more that this might be a symptom of something more sinister. My main worry would be a keylogger type infection, but they would hardly "advertise" this by changing my desktop though?

I will post more later.

By the way, in the last post, when I said that "the previous scan did not find anything", I meant SmitfraudFix which I ran after noticing the icons changing.

Symptom wise, my computer is slower, but I think that may be due to all the anti spyware stuff that I have downloaded. I have noticed that my desktop often refreshes when I close programs down, but this has been happening for a while I think.

I meant SmitfraudFix which I ran after noticing the icons changingYes, I understand this, that is why I told you the creator of the fix has specifically instructed us NOT to run the fix on a computer that is NOT infected. It can damage the Desktop, which may be what has happened in your case. You may have to reinstall the Operating System to fix the problem, I am just not sure. Unless I see an indication in the HJT log that Smitfraud is present, I always run to "Search" part first to establish the presence of the infection because of the warning by S!R!.

The AVG Anti-Spyware shows nothing but a few cookies, but you did not delete them, shows: No action taken???

Interestingly, Spybot recognises SpyHunter as Malware.
May be a false positive, Spybot is not perfect, just one of the best tools we have for the price. I personally would have neither program you asked about on any of my computers.

I will post some links from experts and a little feedback myself on what I see running before we finish as well as links to information that may speed your computer. Before we do that, let's have a look for a possible hidden rootkit like this:

http://www.f-secure.com/blacklight/

Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

Please DO NOT try to fix anything, most of what is shown in the log is valid.

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.

Include a new HJT log with the Blacklight log. If Blacklight shows nothing, I will take a look at the log for stuff other than malware that can cause you issues.

Thanks

Thanks again for your time and help.:)


It can damage the Desktop, which may be what has happened in your case.
The icons had definately changed before I ran SmitfraudFix. I did notice a warning about the desktop background changing if run on a non-infected computer, but this doesn't seem to have happened in my case.



The AVG Anti-Spyware shows nothing but a few cookies, but you did not delete them, shows: No action taken???
Sorry, I forgot to delete them, but will re-run the scan and delete them later.



May be a false positive, Spybot is not perfect, just one of the best tools we have for the price. I personally would have neither program you asked about on any of my computers.
I think Spybot is great:) , which is why I use it as my main anti spyware program. I wonder whether its recognition of SpyHunter may have something to do with SpyHunter having a dodgy past (was on an "avoid list" a while back I think, due to false positives).

I will not get back to my own computer for the next 8 hours, but will run the checks you have advised when I do.

If I genuinly had a Zlob infection, do you think SpyHunter and SpyNoMore could find it and scans like Spybot, AVG, SpySweeper, McAfee, BitDefender, Kaspersky would all fail? SpyHunter and SpyNoMore won't let me copy or save their scan result, but would it help if I typed out where they found Zlob, like I did in my first post?

However, SpyNoMore and SpyHunter (are they reliable?) both found Zlob.trojan and NetNucleus under: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\
with Zlob being dvdaccess.net, MovieCodec.net, playercodec.net, Tvcodec.com, videosaccess.net and zcodec.com
Do these look like genuine findings, or are they maybe false positives in order to "dupe" me into purchasing SpyHunter or SpyNoMore? The fact that they have both previously been on "avoid lists" makes one wonder.

Is there a way I can manually check the HKEY_CURRENT_USER... to see whether those files are really there?

I can not tell you anymore than Google can about those programs, having never used them. I can agree with you that some spyware programs do create false positives to goad a purchase. I suppose this is still better than the ones who use "fraud" as a tool.

http://support.microsoft.com/kb/256986
Start > Run > type "regedit" without the quotes, then OK.
DO NOTHING in your registry without backing it up first.

Thanks

Blacklight log

01/12/07 23:22:26 [Info]: BlackLight Engine 1.0.55 initialized
01/12/07 23:22:26 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/12/07 23:22:26 [Note]: 7019 4
01/12/07 23:22:26 [Note]: 7005 0
01/12/07 23:22:27 [Note]: 7006 0
01/12/07 23:22:27 [Note]: 7011 1676
01/12/07 23:22:28 [Note]: 7026 0
01/12/07 23:22:28 [Note]: 7026 0
01/12/07 23:22:31 [Note]: FSRAW library version 1.7.1021
01/12/07 23:28:31 [Note]: 2000 1012
01/12/07 23:28:31 [Note]: 2000 1012


Logfile of HijackThis v1.99.1
Scan saved at 00:06:45, on 13/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.virgin.net/ie/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mbl.is/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.systemaxpc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mbl.is"); (C:\Documents and Settings\27 Darnell Road\Application Data\Mozilla\Profiles\default\a6k46ovo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\27 Darnell Road\Application Data\Mozilla\Profiles\default\a6k46ovo.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\HarmonyClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: Download &All by FD - fdiectx2.htm
O8 - Extra context menu item: Download with &FD - fdiectx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software/instantsupport/tool/files/MotivePreQual.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Is there a way I can manually check the HKEY_CURRENT_USER... to see whether those files are really there?

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\
with Zlob being dvdaccess.net, MovieCodec.net, playercodec.net, Tvcodec.com, videosaccess.net and zcodec.com
Checked regedit and the files above are there! Now, is it safe to attempt to remove them after first backing up the registry? What do you think I should do?

Blacklight scanned clean, HijackThis appears to be clean of malware. I am at a loss to explain those registry entries. I do know Smitfraudfix works best when it is run first before other programs which remove parts of the infection making it difficult for Smitfraudfix, which also removes the registry entries to do it's job. If you feel comforable editing your registry, understand if you have a backup and there is a problem, clicking on the backup you can return the registry to the point where you started.

http://support.microsoft.com/kb/322756
http://www.theeldergeek.com/windows_xp_registry.htm

I am going to suggest a registry editor that will be easier for you to understand and use. If you wish to proceed with this, here are the instructions for backing up:

Backup your Registry... - Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

The tool to use: http://www.hoverdesk.net/freeware.htm

and the instructions for using it: Download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.

Thanks

Hello again.

Been looking through my registry with RegSeeker. Found lots and lots of stuff.

Up to 10 different versions of each of these:
(e.g.)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download10.spywarequake.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\download4.spyaxe.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spyfalcon.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\www.spycontra.com

With many many more SpyThis.com and SpyThat.com

Lots and lots of versions of codec from Zlob (probably >30 different versions):
(e.g.)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\svideocodec.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vaxcodec.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\vcodec.com

Also Crypto, Protect and CryptnetUrlCache folders under Application data, which is apparently also a feature of Zlob. Deleted these.

Lots of Winfixer, Winantivirus stuff also under ZoneMap\Domains.

I have used RegSeeker to delete the Zlob codecs and Winfixer and SpyHunter and SpyNoMore no longer find those problems. Not noticed any problems on rebooting.

What does this Registry key do? HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\...?

Is it safe to just delete everthing in that Registry key that looks dodgy? They just look like website addresses, almost like the history tab on a browser.

I wonder why nothing showed up on any of the other scans (except SpyHunter and SpyNoMore)? Could it be that the actual active Zlob.Trojan has been cleaned in the past without me noticing and the stuff I am finding now are just "dead" remenants? Doesn't explain the 666 renaming of my desktop icons though.

Let me first say working in the registry is not my strongest suit. That is why I gave you this tool and made sure you knew to back yourself up if you had a problem. Tools that remove malware often leave fragments in the registry but usually when the program is removed the registry entries are benign. I would say to remove what you are sure of, the tool is free and it is not going away. Then allow the backup to set on the Desktop for a week or so to make sure everything is functioning properly. Then you can delete the backup. Be careful to right click and delete, a double click would return it to your computer and you would be back where you started. Now if you want to talk about individual items you are not sure off, you can back up individual reqistry items. That is explained in these links:
http://www.theeldergeek.com/windows_xp_registry.htm
and this link: http://support.microsoft.com/kb/322756


I wonder why nothing showed up on any of the other scans (except SpyHunter and SpyNoMore)? Could it be that the actual active Zlob.Trojan has been cleaned in the past without me noticing and the stuff I am finding now are just "dead" remenants? Doesn't explain the 666 renaming of my desktop icons though.the answer is yes, you may have run a program that cleaned some of the junk and left registry entries behind. Spybot will often locate these dead entries and be unable to remove them. It requires a regedit. I still have no idea why the Desktop icons were named like that, that is the first time I have heard of that.

Thanks

What does this Registry key do? HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\...?
Aha!

I've been playing around with the registry and Spybot and have made a discovery!

All that SpyThis and SpyThat stuff which is in that registry key is from Spybot's Immunizing database.

http://support.microsoft.com/kb/182569

Spybot sets the DWORD values in the registry to protect us from all those dodgy sites. And SpyHunter and SpyNoMore are indeed finding false positives, because all they are finding is stuff put in the registry by spybot to protect the computer.

Still doesn't explain the mystery 666 icon changes I had!?!!:sad: :scratch:

P.s. I noticed there's someone called Springerrr on the forum who seems to have had the same problem with SpyHunter finding those Zlob codecs in the ZoneMap\Domains registry key. I would post and tell him of my findings, but I am not sure whether I'm allowed to do that.

Whoa...that's interesting. I have never before had anyone describe this. Why don't you post as much detail aas you can remember here:
http://forums.spybot.info/forumdisplay.php?f=4
Start a New Thread, and mention the issue with the icons also, perhaps someone will know why, I sure don't. Make sure you immunize again in Spybot. This way everyone who looks at the Spybot forum will benefit from what you found out.
Do we need this topic anymore or can I close it?

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.