Greetings and Thank You for Your Time.

PROBLEMS:

IE Browser: Search Redirects to Ads, Crashes/Hangs Up needs to close error, History of activity is funky – does not always record the Redirected Sites.

Windows Explorer: Search Crashes after 1 second of duty and crashes during usual use as well.

Spybot S&D: finds Zlob.DNSChanger and kdid often. S&D has cleaned up a few other things since downloading two days ago. Has anyone been able to rid their computer of the Zlob?

1) TrendMicro OnLine Scanner found and cleaned today; TROJ_AGENT.XQW, B177.EXE and ADWARE_SOFTOMATE = ADSPY/Bar.Astabar.A ( I guess this is what made the odd Sponsored Ads at the top of the webpages at all the sites?)

I read the “Before You Post” steps section and will only post a HJT (Merijn's HijackThis v1.99.1) log if my volunteer helper requests me to do so.

KASPERSKY ONLINE SCANNER REPORT below from today, I had already downloaded this program so I went with it. The program crashes on the other scans it offers.

2) & 3) Ran SpyBot S&D in SafeMode.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 30, 2007 1:34:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 30/07/2007
Kaspersky Anti-Virus database records: 369743
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\DAVDEN~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 18968
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:14:15

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\curious.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A2044A9F-59DC-4249-A393-A39A1CB1FAB6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_GH2cyPeYVyqjxQh Object is locked skipped
C:\WINDOWS\Temp\mcmsc_lAWPY2hHWDUTlTd Object is locked skipped
C:\WINDOWS\Temp\mcmsc_S5LhOf1CFnEq4S4 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
---------------------------------------------------------------------------

Hello RafikiSupai!

Welcome to Safer Networking.

Go tp where you have HJT installed and delete it and download and install this newer version by Trendmicro

Download and install Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)

Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.


Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:23 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\locator.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webauth.comcast.net/auth/login?action=Check_Logout&url=http%3A//mailcenter.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://webauth.comcast.net/auth/login?action=Check_Logout&url=http%3A//mailcenter.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = (value not set)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB003" /M "Stylus C86"
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: McAfee Application Installer Cleanup (0276091185206929) (0276091185206929mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027609~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9717 bytes

RafikiSupai!,

Your log is not looking to bad, lets do a few things.

We need to disable the Tea Timer in Spybot Search and Destroy as to not interfere with the fix.

Open Spybot and go to Mode> Advanced Mode> Tools> Resident and take the checkmark out of Tea Timer


Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = (value not set)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


You have Ewido installed, it was bought out by AVG, if its just a trial, uninstall it and download and install the newer version, if you purchased it, you may be able to upgrade to AVG Anti Spyware.

Have it set up this way.....


Make sure you follow these instructions correctly to Remove or Quarantine what it finds and also to save the report, without me seeing the report my hands are tied.
Download and install the 30 day trial of AVG Anti-Spyware 7.5.1.43 (http://www.ewido.net/en/download/) to your desktop.


Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close AVG Anti-Spyware Free <-- Do not run the scan yet.

Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:

Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system <--Don't forget this
make sure to remember where you saved that file, this is important, I need to see that log.
Close AVG Anti-Spyware Free



Let me see the AVG Report and a New HJT log please.

A bit of bad news, I ran AVG per your directions and it said, "Something bad happened" and produced the below error repot.

I recall now that I did download AVG a week or so ago and the same thing happened (my days, nights and the many cleaning and or diagnostic attempts w/this issue are running into one big blurrr.)


[7/30/2007 19:35:04 PM] Error: [CProcessInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ProcessInformation.cpp, 274
[7/30/2007 19:35:04 PM] Error: [CConnectionInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ConnectionInformation.cpp, 227
[7/30/2007 19:39:26 PM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 23
[7/30/2007 19:39:59 PM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 23
[7/30/2007 19:39:59 PM] Error: [CProcessInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ProcessInformation.cpp, 274
[7/30/2007 19:40:00 PM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 23
[7/30/2007 19:40:30 PM] Error: failed to create socket, Value: 00002742, Position: .\DownloadHttp.cpp, 212
[7/30/2007 20:37:23 PM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 23
[7/30/2007 20:37:25 PM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 23
[7/30/2007 20:38:37 PM] Error: failed to connect to server, Value: 00000002, Position: .\Client.cpp, 26
[7/30/2007 20:38:59 PM] Error: [CProcessInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ProcessInformation.cpp, 274
[7/30/2007 20:39:00 PM] Error: [CConnectionInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ConnectionInformation.cpp, 227

RafikiSupai!

Sorry you are having problems, lets run a couple of other scans if you can.

Run Panda's ActiveScan from here (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) and perform a full system scan.

Once you are on the Panda site click the "Scan your PC" button
A new window will open...click the big "Check Now" button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
If you are on a slow connection it will take about 15 minuites for the scanner to load.
Click on "Local Disks" to start the scan
Once scan is done, click "see report" then "save report"
Save the log someplace you can find
Reboot
Post the Panda scan results in your next reply



This will check for Smitfraud which is related to Zlob
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.


Let me see the Panda report , the Smitfraud report and a New HJT log please

I am trying to get the Panda site to work, it is not displaying well enough to read but I will keep poking around.

FWIW: While poking about the Panda site which I am scanning with now, below is a little report from one of the clicks that worked…

http://www.nanoscan.com/error/?aspxerrorpath=/requirements/Default.aspx
Server Error in '/' Application.

Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".


<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>

AVG (ran 2x ) did find Adware.Generic but crashed before the location/fix/log options.

I am grateful for your assistance. Thank you for the warm welcome as well in your first post.

Panda report, the Smitfraud report and a New HJT log:


Activescan.txt:
Incident Status Location
Virus:Trj/DNSChanger.SP Disinfected C:\WINDOWS\SYSTEM32\kdgpy.exe

»»»»»»»»»»»»»»»»»»»»»»»» End

rapport.txt
SmitFraudFix v2.207

Scan done at 23:32:11.51, Mon 07/30/2007
Run from C:\Documents and Settings\DavDenRusSki\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 hk.digitaltrends.com
127.0.0.1 microsoft.com.org #[IE-SpyAd]
127.0.0.1 www.www.microsoft.com.org

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\DavDenRusSki


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\DavDenRusSki\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DAVDEN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdgpy.exe"

kdgpy.exe detected !


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
DNS Server Search Order: 68.87.75.194
DNS Server Search Order: 68.87.64.146

HKLM\SYSTEM\CCS\Services\Tcpip\..\{046E58ED-61D9-4FD9-8030-62CDD6FD02F9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{22234750-CDF9-4888-82D0-40269FFE60AF}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C8985DC6-6DB5-4B42-BC24-D2FFE0DBBF67}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D6B648FA-67E6-445E-B6ED-FFC86D5E6736}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{046E58ED-61D9-4FD9-8030-62CDD6FD02F9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{22234750-CDF9-4888-82D0-40269FFE60AF}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C8985DC6-6DB5-4B42-BC24-D2FFE0DBBF67}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D6B648FA-67E6-445E-B6ED-FFC86D5E6736}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5DFE541D-BF40-4D07-B238-A75F027CE454}: DhcpNameServer=163.244.194.254 163.244.212.254 163.244.252.244
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:52 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webauth.comcast.net/auth/login?action=Check_Logout&url=http%3A//mailcenter.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://webauth.comcast.net/auth/login?action=Check_Logout&url=http%3A//mailcenter.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB003" /M "Stylus C86"
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: McAfee Application Installer Cleanup (0071401185842860) (0071401185842860mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007140~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9199 bytes

Good Morning,

You can remove this one with HJT also
O23 - Service: McAfee Application Installer Cleanup (0071401185842860) (0071401185842860mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007140~1.EXE (file missing)

It looks like your hosts files are corrupted.

Download HostsXpert v3.7 (http://www.funkytoad.com/content/view/13/)

Unzip HostXpert to your desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program


Lets run Part 2 of Smitfraud to be on the safeside,a file was detected that could be part of that trojan.

Boot your computer into Safemode

Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)



Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt





Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start> Control Panel and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete Offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button.
Click Apply then OK.




Reboot normally.


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.


Let me see the Smitfraud log and a new HJT log please.

SmitFraudFix v2.207

Scan done at 9:50:02.71, Tue 07/31/2007
Run from C:\Documents and Settings\DavDenRusSki\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{046E58ED-61D9-4FD9-8030-62CDD6FD02F9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{22234750-CDF9-4888-82D0-40269FFE60AF}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{C8985DC6-6DB5-4B42-BC24-D2FFE0DBBF67}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D6B648FA-67E6-445E-B6ED-FFC86D5E6736}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{046E58ED-61D9-4FD9-8030-62CDD6FD02F9}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{22234750-CDF9-4888-82D0-40269FFE60AF}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C8985DC6-6DB5-4B42-BC24-D2FFE0DBBF67}: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D6B648FA-67E6-445E-B6ED-FFC86D5E6736}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5DFE541D-BF40-4D07-B238-A75F027CE454}: DhcpNameServer=163.244.194.254 163.244.212.254 163.244.252.244
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.75.194 68.87.64.146


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdgpy.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdgpy.exe not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» End




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:05 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB003" /M "Stylus C86"
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: McAfee Application Installer Cleanup (0071401185842860) (0071401185842860mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007140~1.EXE (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8862 bytes

Things are looking good :bigthumb:

Have you tried to remove this one, its not malware so not to worry if you can't.
O23 - Service: McAfee Application Installer Cleanup (0071401185842860) (0071401185842860mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\007140~1.EXE (file missing)


How are things running now???

Hi Ken. Yes, all is well at the moment but I am holding my breath! I have had temporary reprieves before but with your expertise you have taken me through many more steps to find more the deeper problems and it is my hope your steps will take hold. ASANTE KEN!

I have a few more questions about sprucing things up a bit to keep things the bad guys at bay as much as I can but am not sure if this is the place to do so, please advise.

Here is some reading and free programs for you to install , lets hope things stay well but if you should have another problem in the future by all means please post back.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Ad-Aware SE Personal 1.06 (http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
Check for Updates and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.


It was a pleasure to help you,:bigthumb:

Safe Surfin
Ken

O23 - Service: McAfee Application Installer Cleanup (0276091185206929) (0276091185206929mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\027609~1.EXE (file missing)

No, this did not go away after trying to remove it 2x's and it does not come up as an ISSUE under CCleaner. However, these 4 items do even after I have deled them from the Registry...


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{7BF7B688-4A95-4003-BA98-EA8A79DA0ABA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CFF8E668-1954-44CC-A342-FED2CC0601CA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{E0F7DAE4-DFA0-46C6-AE55-0C95E4A68898}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{F011B8F1-BCCD-4E73-84F8-CB2F2D258755}


Ken, my Windows Explorer Search works now -- YIPEE! A life changing perk for the better for sure!

Also, when I reboot my Task Scheduler does not give me the warning, "Some Tasks did not start as scheduled BlahBlahBlah... click here. I had NO CLUE these ANNOYING issues were all part of the infections!!! Asante sana Ken!

Those are all invalid objects and are not harmful. If you run the Issues scan with CCleaner they may be removed.???

By the way, CCleaner is a great program, you should run it every week or so to keep all the extra not needed garbage from Temp Files and such from building up. You can open the program and click on Options > Cookies and move all the ones you want to keep to the Keep pane on the right.

Ken

Ken,

Thank you for the list of programs. I see you have mentioned all free ones, which is fine, but these are usually not full versions and I am not sure if this is truly important with all the other little tweak programs...

I was thinking that perhaps AVG would be better than the McAfee Security Center which comes with my Comcast service (so I AM paying for it for sure) what would you advise?

Thanks

Run this tool to clean up all the leftovers that may still be present, we don't want this coming back to haunt you. Then I will go over the programs I suggested.

Please download FixWareout from one of these sites:
FixWareout Subratam (http://downloads.subratam.org/Fixwareout.exe)
FixWareout Lonny (http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe)

Save it to your desktop and run it.
Click Next, then Install,
Then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.

Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.

Now lets check some settings on your system. For (2000/XP) Only)


Go to Start > control panel.
If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
Then right click on your default connection, usually local area connection for cable and dsl.
Left click on properties.
Click the Networking tab.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems





Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter



Let me see the FixWareout report

Username "DavDenRusSki" - 07/31/2007 14:22:18 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
Could not flush the DNS Resolver Cache: Function failed during execution.

System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"IAAnotif"="C:\\Program Files\\Intel\\Intel Application Accelerator\\iaanotif.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"EPSON Stylus C86 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2R1.EXE /P23 \"EPSON Stylus C86 Series\" /O6 \"USB003\" /M \"Stylus C86\""
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1169651013\\ee\\AOLSoftware.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"mcagent_exe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe /runkey"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Ken, I checked my settings which were already selected to Obtain DNS servers automatically, then I ran manual flush which gave me the same failure report as the FixWareout report.

Lets try this as its possible that the malware has played with your DNS settings.

It is quite possible that your DNS Service is not "running" (as in "Status" is not "started and running)

If the above is true, then your machine would have no way to perform the procedure you are asking of it.


Go to Start - Run - and type in Services.msc press Enter

Scroll down to DNS Client
Double-Click on DNS Client, then select to change the status to Start. (Its OK to leave it as Manual, if that is the current
setting, but you will have to repeat this procedure in the future if you elect to flush your dns cache again)

Now try flushing it again.


Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter


Let me know how it went

I set it to automatic as well.

Thats great :bigthumb::bigthumb: The rest of your log looks fine, your good to go.


Thank you for the list of programs. I see you have mentioned all free ones, which is fine, but these are usually not full versions These are all full versions.

You have Spybot Search and Destroy installed :bigthumb: One of the better programs on the internet , make sure you check for updates, Immunize and run a scan at least once a week

Spyware Blaster, no scans to run, just keep it updated and enable all protection, just sits in the background keeping the bad guys out. If you install this program, do not enable the tea timer in Spybot as they will conflict.


Spyware Guard is a one time install, it just sits in the background and guards your pc from attack by Spyware.


IESPYAD, This too will help block bad sites from downloading any of there garbage to your computer..

Firefox You can use both IE and Firefox, just make the one you want your default and they won't bother one another. I use and love Firefox, its more secure than IE.

ZoneAlarm You should only have one Anti Virus program and only one Firewall installed so if your Mcafee includes a firewall then bypass this one.


Been a pleasure helping you. :wink::

Safe Surfin
Ken

Dear Ken aka Security Warrior

Asante sana rafiki yangu (Thank you very much my friend!) You have greatly improved my life with your knowledge!

If you ever come to Tanzania to safari in the Serengeti, hike up MT. Kilimanjaro or mountain bike in the Ngorongoro Crater Highlands -- I shall repay your kindness and have Security Warriors for you with Shields and Spears! KARIBU SANA!

RafikiSupai! Thank You for your kind words. Glad all is well

Ken

I thought I would run a Spybot S&D scan and put the TeaTimer back on and promptly received this notice:

S&D has detected an important registry entry that has changed.

Category: Browser page

Change: Value changed

Entry: Search Page

Old data: http://www.microsoft.com/isapi/redir.dll?prd=iear=search

New data: http://www.microsoft.com/isapi/redir.dll?prd=iear=iesearch

Then there are two buttons on each side (left & right bottom corners) of the dialog box which I CANNOT SEE to read…

The left hand side button has a box to check and “Remember this decision?” statement.

I have not done anything and have left this dialog box open, any clue what I should do? :-/

All the setting are normal, they have been reset so the Tea Timer in Spybot is giving you a heads up. You can accept your new settings.

Ken:)

Good morning Ken,

I had to snoop around for a PIC to make sure what the TeaTimers dialog box buttons said as I am new to S&D. I was a bit jittery about making any changes -- especially involving MSM and their whole redirect process even if you do not use them for your Home Page (which I normally do not, just for this cleanup.) When I am sure it is safe to download and update I will update back to IE7 and add the Firefox browser as well.

Once I heard back from you (thank you) and got through all the TeaTimer duties, I installed S&D with today’s updates then finally ran my scan, which again detected the ZLOB. Is there anything you recommend I need to do at this time?


I found a PIC of the TeaTimer dialog box at this site with a description that was helpful:

http://wiki.pomona.edu/bin/view/FAQ/TeaTimer (http://wiki.pomona.edu/bin/view/FAQ/TeaTimer)
Note: This screenshot is from v1.4beta as v1.4 seems to currently have a bug that cuts off part of the window. If you are having this problem, please be aware that the left button is the Allow button and the right button is Deny, as in the screenshot above. Hopefully the Spybot developers will fix this soon!

This is the Spybot Search and Destroy 1.5 Beta, you can go to Help> About and see what version you are running. You may want to give this a try, uninstall the older version first.

http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/SpyBotSearch-Destroy.shtml


Start the program, Check for Updates, make sure the Tea Timer is disabled.

Click on Mode and select Advanced Mode, then click on Spybot and run a full system scan, then select all and remove what it finds.

Then in advanced mode, click on Tools > View Report and just tick the following.

Results of last Check
Active X
Start Up list
BHO

Then Export it to your desktop, it will be in Notepad, copy and paste the log into this thread.

Ken;)

--- Search result list ---
Common Dialogs: History (2 files) (Registry key, fixed)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
MS Office 9.0: Recently used files (9 files) (Directory, fixed)
C:\Documents and Settings\DavDenRusSki\Application Data\Microsoft\Office\Recent\
Log: Activity: SchedLgU.Txt (Backup file, fixing failed)
C:\WINDOWS\SchedLgU.Txt
Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, fixed)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, fixed)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
Adobe ImageReady 7.0: Last save folder (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Adobe\ImageReady 7.0\Preferences\SaveDir\tlfd!=
Adobe ImageReady 7.0: User actions history (11 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Adobe\ImageReady 7.0\Preferences\UserActions
Canon ZoomBrowser EX: Last opened folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Canon\ZoomBrowser Ex\Settings\LastSelectedKey
Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)
Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)
Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)
Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)
Internet Explorer: User agent (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)
MS Media Player: Application data file (global) () (File, fixed)
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\wmplibrary_v_0_12.db
MS Media Player: Search terms history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\MediaPlayer\AutoComplete\MediaSearch
MS Media Player: Last selected node (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\MediaPlayer\MediaLibraryUI\MLLastSelectedNode!=
MS Media Player: Client ID (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=
MS Media Player: Client ID (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\Client ID!=
MS Media Player: Anonymous ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
MS DirectDraw: Most recent application (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=
MS Office 9.0 (Start Assistant): Last opened file directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Office\9.0\Osa\FindFile\Place!=
MS Office 11.0 (Access): Recent database #5 (Registry value, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Office\11.0\Access\Settings\MRU5
MS Office 11.0 (Cliparts): Last search made (6 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Office\11.0\Clip Organizer\Search\Last Query
MS Office 11.0 (Picture Manager): Last selected folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Office\11.0\OIS\Options\LastTreeSelection
MS Office 11.0 (Script Editor): Last loaded project (Registry value, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Office\11.0\MSE\LastLoadedSolution
MS Office 11.0 (Script Editor): Recent file list (8 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Office\11.0\MSE\FileMRUList
MS Office 11.0 (Word): Recent file list (Registry value, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Office\11.0\Word\Data\Settings
MS Frontpage: Last opened web (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Settings\LastWebOpen!=
MS Visual Basic for Applications: Recent file list (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\VB and VBA Program Settings\Microsoft Visual Basic AddIns\Package and Deployment Wizard
MS Photo Editor: Last used directory (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Photo Editor\3.0\File Options\Path!=
MS Search Assistant: Typed search terms history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Search Assistant\ACMru
MusicMatch JukeBox: Last add song folder (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\MusicLibraryUI\Last add song dir!=
Paint Shop Pro 8: Last browse folder (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Jasc\Paint Shop Pro 8\Browser\BrowseDir!=
Windows: Drivers installation paths (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources!=
Windows.OpenWith: Open with list - .ADP extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADP\OpenWithList
Windows.OpenWith: Open with list - .AI extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AI\OpenWithList
Windows.OpenWith: Open with list - .ALB extension (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ALB\OpenWithList
Windows.OpenWith: Open with list - .API extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.API\OpenWithList
Windows.OpenWith: Open with list - .AS extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AS\OpenWithList
Windows.OpenWith: Open with list - .ASX extension (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ASX\OpenWithList
Windows.OpenWith: Open with list - .AVI extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AVI\OpenWithList
Windows.OpenWith: Open with list - .BMP extension (10 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BMP\OpenWithList
Windows.OpenWith: Open with list - .CAB extension (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList
Windows.OpenWith: Open with list - .CDA extension (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\OpenWithList
Windows.OpenWith: Open with list - .CDX extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDX\OpenWithList
Windows.OpenWith: Open with list - .CFG extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CFG\OpenWithList
Windows.OpenWith: Open with list - .CLS extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CLS\OpenWithList
Windows.OpenWith: Open with list - .CPL extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CPL\OpenWithList
Windows.OpenWith: Open with list - .CSS extension (4 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList
Windows.OpenWith: Open with list - .CSV extension (3 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSV\OpenWithList
Windows.OpenWith: Open with list - .CTL extension (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CTL\OpenWithList
Windows Explorer: Recent wallpaper list (501 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU
Windows Explorer: Stream history (120 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: User Assistant history IE (6 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: User Assistant history files (24 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: Last visited history (2 files) (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: Recent file global history (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: Recent file global history (Registry key, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Windows Explorer: Last Copy/MoveTo folder (Registry value, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder
Windows Media SDK: Computer name (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName
Windows Media SDK: Computer name (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName
Windows Media SDK: Computer name (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName!=ComputerName
Windows Media SDK: Unique ID (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}
Windows Media SDK: Unique ID (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}
Windows Media SDK: Unique ID (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\UniqueID!={00000000-0000-0000-0000-000000000000}
Windows Media SDK: Volume serial number (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: Volume serial number (Registry value, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
Windows Media SDK: Volume serial number (Registry value, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber
WinZip: Number of times run (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Nico Mak Computing\WinZip\rrs\Opened!=
WinZip: Number of times run (Registry change, fixed)
HKEY_USERS\S-1-5-21-2710597939-3187016515-2077082144-1007\Software\Nico Mak Computing\WinZip\rrs\Opened!=
WinZip: Number of times run (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Nico Mak Computing\WinZip\rrs\Opened!=
Cache: Cache (12) (Cache, fixed)

Congratulations!: No immediate threats were found. ()

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-07-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-01 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-01 Includes\DialerC.sbi (*)
2007-07-11 Includes\Hijackers.sbi (*)
2007-08-01 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-01 Includes\KeyloggersC.sbi (*)
2007-08-01 Includes\Malware.sbi (*)
2007-08-01 Includes\MalwareC.sbi (*)
2007-07-11 Includes\PUPS.sbi (*)
2007-08-01 Includes\PUPSC.sbi (*)
2007-08-01 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-01 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2007-08-01 Includes\Trojans.sbi (*)
2007-08-01 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

--- Startup entries list ---
Located: HK_LM:Run, AsioReg
command: REGSVR32.EXE /S CTASIO.DLL
file: C:\WINDOWS\system32\REGSVR32.EXE
size: 11776
MD5: 9709ead856a690333138ac40804f914e
Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 335872
MD5: 18d6b0bb625420c37cc146cbbe59d32a
Located: HK_LM:Run, CTDVDDet
command: C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
file: C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
size: 45056
MD5: 49530ea45ebd73e2c11c74dfebc30d57
Located: HK_LM:Run, CTSysVol
command: C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
file: C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
size: 49152
MD5: c88806e6c9ae0ad88d20e1bda995355a
Located: HK_LM:Run, dla
command: C:\WINDOWS\system32\dla\tfswctrl.exe
file: C:\WINDOWS\system32\dla\tfswctrl.exe
size: 122933
MD5: 55877ab1f65a512fd317b640d9353dc5
Located: HK_LM:Run, DVDLauncher
command: "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
file: C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
size: 53248
MD5: 6a66b6a314f6ef30cd1cf82a17daad52
Located: HK_LM:Run, EPSON Stylus C86 Series
command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB003" /M "Stylus C86"
file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE
size: 99840
MD5: 6f02f5cb024b52492406707909cd9b86
Located: HK_LM:Run, HostManager
command: C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
file: C:\Program Files\Common Files\AOL\1169651013\ee\AOLSoftware.exe
size: 50736
MD5: c482c535cbfefe722ec1eb7f11f680a3
Located: HK_LM:Run, IAAnotif
command: C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
file: C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
size: 135168
MD5: 84ce197c2869be8965644396841fdd19
Located: HK_LM:Run, IntelMeM
command: C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
file: C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
size: 221184
MD5: bc02e491e88492b02363ce1b384ff7a7
Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe
Located: HK_LM:Run, mcagent_exe
command: C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
file:
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
size: 132496
MD5: 896e712a34d654a337c8cbb9deb07200
Located: HK_LM:Run, UpdateManager
command: "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
file: C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
size: 110592
MD5: 22fd4e58d69969a9165721c797d54931
Located: HK_LM:Run, UpdReg
command: C:\WINDOWS\UpdReg.EXE
file: C:\WINDOWS\UpdReg.EXE
size: 90112
MD5: c419df63e0121d72411285780c2fc6cc
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: Startup (common), Adobe Gamma Loader.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 57cb86b1cdd77eb5138ba05d1f193463
Located: Startup (disabled), Acrobat Assistant (DISABLED)
command: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
file: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
size: 217193
MD5: 78bfe3201ada2fe02d1e35d2488e5f55
Located: Startup (disabled), Adobe Gamma Loader (DISABLED)
command: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
file: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a
Located: Startup (disabled), America Online 9.0 Tray Icon (DISABLED)
command: C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
file:
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 5/15/2003 12:47:54 AM
Date (last access): 8/1/2007 1:56:36 PM
Date (last write): 5/15/2003 12:47:54 AM
Filesize: 50376
Attributes: archive
MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
CRC32: 1D771322
Version: 6.0.0.878
{089FD14D-132B-48FC-8861-0048AE113215} ()
BHO name:
CLSID name:
Path: C:\Program Files\SiteAdvisor\6066\
Long name: SiteAdv.dll
Short name:
Date (created): 7/29/2007 6:09:30 PM
Date (last access): 8/1/2007 1:39:36 PM
Date (last write): 7/30/2007 10:19:04 AM
Filesize: 1099304
Attributes: archive
MD5: 13B5ED60FE79EE38268A5AA57FC8B44F
CRC32: 2469AFC6
Version: 2.4.0.0
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 7/28/2007 11:00:04 PM
Date (last access): 8/1/2007 1:56:38 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
BHO name:
CLSID name: DriveLetterAccess
description: Hewlett-Packard's DLA software
classification: Unknown
known filename: tfswshx.dll
info link:
info source: TonyKlein
Path: C:\WINDOWS\system32\dla\
Long name: tfswshx.dll
Short name:
Date (created): 9/7/2004 7:30:04 AM
Date (last access): 8/1/2007 1:56:38 PM
Date (last write): 3/15/2004 2:04:00 AM
Filesize: 118836
Attributes: archive
MD5: 3A79721C9ACC30CBA57266854C20238B
CRC32: 6FCEA787
Version: 1.4.7.1
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: ssv.dll
Short name:
Date (created): 7/30/2007 8:30:58 AM
Date (last access): 8/1/2007 1:56:38 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 501136
Attributes: archive
MD5: D6137540BDF0F9F9B9055C60ADD8007A
CRC32: 29E910AF
Version: 6.0.20.6
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
BHO name: scriptproxy
CLSID name: scriptproxy
Path: c:\PROGRA~1\mcafee\VIRUSS~1\
Long name: scriptsn.dll
Short name:
Date (created): 8/1/2007 6:28:58 AM
Date (last access): 8/1/2007 1:56:36 PM
Date (last write): 7/24/2007 12:02:40 PM
Filesize: 66880
Attributes: archive
MD5: 7586AE543FCEEBC47892D112628B70A9
CRC32: D1B86D73
Version: 14.0.0.349
{AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
BHO name:
CLSID name: AcroIEToolbarHelper Class
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\
Long name: AcroIEFavClient.dll
Short name: ACROIE~1.DLL
Date (created): 5/15/2003 1:03:46 AM
Date (last access): 8/1/2007 1:46:56 PM
Date (last write): 5/15/2003 1:03:46 AM
Filesize: 147456
Attributes: archive
MD5: 44BCFF08947790E74BD7CC7532D2B793
CRC32: 0C91890B

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 2/21/2007 5:49:08 PM
Date (last access): 8/1/2007 2:12:44 PM
Date (last write): 2/21/2007 5:49:08 PM
Filesize: 946176
Attributes: archive
MD5: 5011129171D8DB17D519270B9C13DB1C
CRC32: 0837FD01
Version: 5.0.93.0
{17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool)
DPF name:
CLSID name: Windows Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf
Codebase: http://go.microsoft.com/fwlink/?linkid=39204
description:
classification: Legitimate
known filename: LegitCheckControl.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: LegitCheckControl.dll
Short name: LEGITC~1.DLL
Date (created): 7/12/2005 7:04:22 PM
Date (last access): 8/1/2007 2:12:46 PM
Date (last write): 3/15/2007 6:19:28 PM
Filesize: 1476992
Attributes: archive
MD5: D1CB99ADBA9397D7D02B0B2DCFE47F1A
CRC32: ED982FE3
Version: 1.7.18.5
{193C772A-87BE-4B19-A7BB-445B226FE9A1} ()
DPF name:
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\mcinsctl.inf
Codebase: http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
description:
classification: Legitimate
known filename: mcinsctl.dll
info link:
info source: Safer Networking Ltd.
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 8/1/2007 2:12:46 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description:
classification: Legitimate
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 8/24/2006 8:28:54 AM
Date (last access): 8/1/2007 2:07:16 PM
Date (last write): 8/24/2006 8:28:54 AM
Filesize: 141424
Attributes: archive
MD5: CB0EBD772D7D003BD11A999FF515A89A
CRC32: 3CFE74C1
Version: 58.6.0.0
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\McGDMgr.inf
Codebase: http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
description:
classification: Legitimate
known filename: McGDMgr.dll
info link:
info source: Safer Networking Ltd.
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} ()
DPF name:
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: npjpi142_03.dll
info link:
info source: Safer Networking Ltd.
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} ()
DPF name:
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: npjpi150_11.dll
info link:
info source: Safer Networking Ltd.
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi160_02.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 8/1/2007 2:12:46 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_02
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_02\bin\
Long name: npjpi160_02.dll
Short name: NPJPI1~1.DLL
Date (created): 7/12/2007 2:22:38 AM
Date (last access): 8/1/2007 2:12:46 PM
Date (last write): 7/12/2007 4:00:36 AM
Filesize: 132496
Attributes: archive
MD5: E3811F1A1C5063C941EC0E2766C3EA39
CRC32: AEFD3747
Version: 6.0.20.6
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 8/1/2007 2:04:18 PM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0

Things look fine :bigthumb: I see no Zlob here. Your older scan may have picked up a stray reg entry.

You can open Spybot and under Tools > View Reports, there may be an older report that was saved when it picked up Zlob, if so post the log.

Glad we could help, :bigthumb: as the problem appears to be resolved this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.