Hi,

This is a second post including the kapersky log which I did not realize you wanted. So this has the hjt and kapersky. My other thread titled same is on about page 3 now. Im at the end of what I can do myself and will be waiting for assistance.

What occured is this -zonealarm starts asking for several things to be approved. I say no, it asks again I say no. Then boxes start coming up (about 6) saying such and such files are not valid win32 files. Some of the file names are yazzlesnet.exe - is68089.exe- snapsnet.exe. Read around, saw what I had, found and threw yazzlesnet and xrun into recycle bin for the moment. Updated avg and spybot, both come up clean. Tried to remove old java to update, it wont allow me to saying that windows installer isnt installed properly. Cant get old java out, cant download update.

I resort to system restore, it wont work, went to safe mode and successfully did a system restore 2 weeks back.

After system restore, yazzlesnet gone out of recycle bin, xrun still there, I dumped it. I have redownloaded AVG updated, spybot is updated however isnt the 1.5 I can not see how to get the 1.5, I need to somehow manage to update java, and I was previously having problems updating zonealarm so that isnt updated either.

I tried cleaning the Kapersky log up with wordwrap but it just looks the same.

I appreciate any help -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:48 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mybluelight.com/s/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/?charityid=542921
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F5136B4-4FAE-456F-AF15-3D99E9BAF2DE}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{6F5136B4-4FAE-456F-AF15-3D99E9BAF2DE}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5137 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 15, 2007 2:13:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 15/09/2007
Kaspersky Anti-Virus database records: 419050
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 44257
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:42:06

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\gather-now.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\notes.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\partner-700.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\subscrip-2000.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\survey.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\updates-300.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\urgent-800.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20070914.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP556\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MARANN.ldb Object is locked skipped
C:\WINDOWS\ModemLog_SoftV92 Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\Software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\System Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT00ecf.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Close all programs leaving only HijackThis running. Place a check against each of the following,

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Startup: PowerReg Scheduler.exe

Click on Fix Checked when finished and exit HijackThis.

----------------------------------------

Be sure to keep SunJava, updated
In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE
It is important to remove older versions as these are the ones with the holes in them.
You will be surprised when you go to add/remove to see all of the versions sitting there.
Download Newest >>>> http://www.java.com/en/download/index.jsp
Once installed you can test to see that it is in fact installed >>>>
Sun Java Test (http://www.java.com/en/download/installed.jsp)

-----------------------

Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)


Then go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Hi and thank you so much for your help.

I did the first hijack this step, found the files, that worked fine. I rechecked it and they did not appear.

I go to remove java in add/remove programs - it tells me that windows installer isnt working and that it can be caused by computer being in safe mode (no) or windows installer is not properly installed. I do not recall having this problem before. I have 3 versions in there 1.4 5-9 and 6 but not 6u2.

I will begin to download the new java to desktop so its ready and waiting and do the panda scan as requested. Might take a bit. (dial up :sick:)

Have to find a way to get this old java out......

I do see windows installer in the add/remove programs, it is there but I do not see any memory listed next to it.

windows installer 3.1

Ok heres where we are at

Hijackthis, done
ATF, done

java - Will not allow me to remove old files from add/remove and blames windows installer. Will not allow me to begin to download update 6u2 and again blames windows installer.

Panda - Found bug YAY! Um, didnt I just remove that file with HJT? lol As tempting as it was I did not "disinfect".
Incident Status Location Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070919-225432-140-PowerReg Scheduler.exe
Thanks :)

Ok heres where we are at

Hijackthis, done
ATF, done

java - Will not allow me to remove old files from add/remove and blames windows installer. Will not allow me to begin to download update 6u2 and again blames windows installer.

Panda - Found bug YAY! Um, didnt I just remove that file with HJT? lol As tempting as it was I did not "disinfect".
Incident Status Location Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070919-225432-140-PowerReg Scheduler.exe
Thanks :)

You can re-download it here. (http://www.microsoft.com/downloads/details.aspx?FamilyID=889482FC-5F56-4A38-B838-DE776FD4138C&displaylang=en)

downloaded, removed, installed windows installer. Done, no problem. :) ty

Removed all java's from add/remove

Then I tried to download java 6u2 from your link, kept getting error messages on different msi25.tmp files while trying to download. Finally gave that up, went to main "howd I get infected" sticky post, used that link, did the offline install. Looks done I see 6u2 in add/remove.

Reset your restore points then I think we are done, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

System restore points done

Should Java be trying to access things when Im only on this page? Zonealarm wants approval for jusched.exe- just now.

If I may just ask,
I cant find a way to uninstall msn messenger, do you know how? I need to update it.

jusched- java update scheduler? lol
Maybe im paranoid now....
Ok im going to just start trying to update and replace things firewall, anti virus, and I found spybot 1.5.

Will check back here later to see if you want a log.

When I search files and folders the things that came up on panda scan are showing up. Thought id let you know. Trying to update is slowww going here.

??

You con remove the backups in hijackthis.

When you start it click view a list of backups then place a check mark in the box and delete it.

ok well thank you. Couldnt have done it without you.
I had wanted to do another panda scan but it wont work when I click scan now. I think it must be sunbelt firewall but even disabling it doesnt work. Little frustrated about that, but I guess if you say im clean, Im clean.

Hi,

My thread
http://forums.spybot.info/showthread.php?t=17970

I really appreciate little eagles help no doubt, I would have had no hope without him/her. But Im feeling left hanging. I do see and realize I had something fairly easy to fix compared to others. But I got no communication going here.

Like one question I have is im having a problem with shutting down my computer, it takes forever. Im not sure whether that had anything to do with anything, and it started exactly after I did a system restore (mistaken at time I didnt need it) about 2 months ago. But makes me wonder if my restore points werent infected then.

As well as is there anything off the top of head that would help me do the panda scan again. It started not working after I installed sunbelt (because i couldnt get zonealarms huge update downloaded), info on post.

I dont expect to be coddled or for anyone to help me work out non malware issues. I know youre busy here. But would be nice to be treated like a human being and at least be told for sure I am clear of the issue I was working on.:red:

Lets try this one go HERE (http://support.f-secure.com/enu/home/ols.shtml) and do a online scan.
Let me know what is found.

Should not find anything :rolleyes:

*spins* 22 mb!
Gonna be awhile, get back to you tomorrow with it.
And ty.

Regarding my post above that got merged- if you can easily answer either of those questions great. If you think they have nothing to do with malware thats fine too.

Regarding my post above that got merged- if you can easily answer either of those questions great.

Sorry I'm a little lost;) with the threads that got merged, please let me know what what questions you have?

2 months ago I did a system restore for no good reason, exactly after that and ever since when i go to shut down my computer it takes forever. Its still happening. Could this have had something to do with malware and my restore points?

Why wont panda scan work on either of my computers after I installed sunbelt personal firewall? I tried changing various settings and even disabling, still wont work.

it keeps stopping saying that neccesary files wont download.

Malware might have changed some setting and files.

Click \start\run\then type in or copy and paste in

sfc /scannow not the space between c and /


You must be logged on as a member of the Administrators group to run sfc.

If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the
%systemroot%\system32\dllcache folder, and then replaces the incorrect file.

Try this link if you have any trouble.

http://www.updatexp.com/scannow-sfc.html

"windows can not find sfc \ scannow
(no space), please make sure you typed the name correctly"

Tried it a few times

oops sorry, going to link now

Like this not sfc /scannow not sfc \ scannow

Put the space between sfc and / and you must use/ not"\"
there is no space between / and scannow

copy and paste it in if necessary

sfc /scannow

oh man....

Its not the DLL Cache thing.

Im familiar with the I386 file name because when I first found out I was infected with xrun.exe I did a search for it on the net. I looked for any file names related to xrun.exe. One listed somewhere was mstha.

I then searched files and folders, I found mstha files and one is related to I386. I did not move this to recycle bin because I was not sure which or any mstha files were bad.

Ok. I see 5 mstha files in my computer now, one is MSTHA C:\windows\I386 I have no idea if these are normal files or not.

I also did searches for xpre.exe but am not sure if I found it, seems to me if I did I would have removed it to recycle bin as I did xrun.exe and yazzlesnet. I dont find xpre.exe now

I do not have the Xp disk, this computer was given to me but it may be possible for me to get it.

Here is where I found some info before I spoke to you, But I did not do anything with it, maybe it will help?http://forums.spywareinfo.com/lofiversion/index.php/t103102.html
:spider:

ok lol i did copy paste it first time. its working now.

I typed it back to you wrong last time.

But you gave me wrong directions ;)

"sfc /scannow not the space between c and /"

You mean "*note* the space between c and /"

No problem, Im with you now.

Done, try the scan again?

"sfc /scannow not the space between c and /"

You mean "*note* the space between c and /"
OK I got my "e" key working :crowned:

Also it seams that you are not the only one having truble with the scanner, download seams to be messed up. :sad:

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Sorry youre going to have to look at that page and directions. Your directions dont match the page. I do not like that disclaimer.

I tried Panda again and its like nothing happens when I click on scan now. I do see my firewall icon showing a block. I can not get it to go even by disabling firewall. Same exact thing happened on my other computer too. Allllll started after I install sunbelt. :banghead:

Have never used that firewall. Have you thought about removing it?

Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Save your Log File
Copy/Paste the contecnts of that logfile into your next reply

NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

That way you should have a much simpler and clearer log file in which to pursue and evaluate.

Yes, I am thinking of removing it. What perplexes me is why disabiling it would not work. It is a firewall recommended here. Getting zonealarm is a problem because of the size.

I have a new problem. Started last night. I try to connect to net, nothing will load, it like locks up the internet flow. I try over and over, nothing will load. I finally realize tonight rebooting might work since my internet worked ok this morning. Rebooted, and now Im back online first try no problem. We did the sfc scannow last night.

I will begin to follow your instructions.

Had same problem with loading pages after I rebooted, after changing user profile.

Rebooted again, windows firewall (which had not been "on") gave me a message saying it had blocked sunbelt and gave me this info below line. I chose to "block". I disabled sunbelt and turned on Windows firewall for the moment now to do the rootkit. Looked like Sunbelt was trying to connect to net as soon as computer loaded up? I will get rid of Sunbelt no problem, but then I need a firewall. Will try to download zonealarm tonight while I sleep.

Strangely the last two times I rebooted it went smoothly like its supposed to instead of the typical taking 5 minutes to shut down.
---------------------------------------------------------
Understanding when to block a program
When Windows Firewall is turned on and a program on your computer attempts to accept connections from the Internet or a network, the firewall blocks the program from doing this and displays a message giving you the option to unblock the program.

For example, suppose you've set up your computer to play a game with other players over the Internet. Because the firewall prevents the game from accepting connections from the Internet, the game will not be able to receive the information from other players that it needs to work correctly. A message will appear, asking what actions you'd like to take.

When you get this message, choose:

Keep Blocking to prevent the program from ever accepting connections without your permission.
Unblock only if you know why the program is asking to accept connections to your computer, or if you know that the program is trustworthy. (In the game example above, this is the option you would choose.)
Ask Me Later if you don't know whether to permanently block or unblock the program. This option keeps the program blocked (for greater security), and you will get this message again the next time that you start the program.
If you choose to unblock the program, Windows Firewall creates an exception for that program to allow it to communicate through the firewall. The firewall won't notify you when that program wants to receive connections in the future. When you close the program, the temporary opening in your firewall is also closed.

Notes

These choices apply to every user who logs on to this computer.
For some games (DirectX games), the message might be hidden behind the program. To see the message, minimize or close the program.
These messages can be disabled by using Windows Firewall, netsh.exe, or Group Policy. To disable these messages in Windows Firewall, on the Exceptions tab, clear the Display a notification when Windows Firewall blocks a program check box. However, we recommend that you keep these messages enabled to help monitor the security of your computer.
If Don't allow exceptions is selected on the General tab, you will not receive this message because the firewall will not allow any communications regardless of other settings you might have made.

When I go to save a txt file, and I click on the arrow to change to desktop it says in error

"Save rootkit revealer output (top in blue)

C:\documents and settings\local service\desktop refers to a location that is not available.It could be on a hard drive on this computer, or a network. Check to make sure the disk is properly inserted, or that you are connected to the internet or to your network, then try again. If it still cannot be located the information may have been moved to another location."

It gives me this error anytime I try to press anything after Im on save page. I can press ok and move on.

It says its saved on desktop but I do not have a txt of it on desktop as I should have.

4 discrepencies are found. Ill keep trying to get the txt file out of it. Sorry for all the info, hope it helps.

Do a search for the file.
RootkitReveal.txt

Looks like it only would save into C:\windows\System32 - Um also its in documents and settings...

HKLM\SECURITY\Policy\Secrets\SAC* 8/26/2004 4:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/26/2004 4:18 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 11/1/2004 1:26 PM 13 bytes Data mismatch between Windows API and raw hive data.
D: 0 bytes Error mounting volume

"The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format)"

:red:

Ok I read around a bit about that rootkit scan. Everyones saying those are normal. One person I saw said those readings went away after a worm removal. Dont know but....

I managed a panda scan and it still came up with a rootkit
Not sure how I managed to get spyware when I have spybot and spyblaster going. I also ran spybot once today already. Will try to get the spyware out. And get zonealarm.

Sleep well cya tomorrow.

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Owner\Cookies\owner@azjmp[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\Trend Micro\HijackThis\backups\backup-20070919-225432-140-PowerReg Scheduler.exe

I removed that back up with hijack this when you told me to.

Ok thing look fine don't see anything worth worring about you can remove the folder hijackthis is in and the backup will go with it. :bigthumb:

Now I guess you need to install a firewall.

when i try to download zonealarm I get an error saying it cant find msi patch.

Do you know what that is or can recommend another free firewall that will work better?

And thanks so much for your help.

Oh yea and no problems since I removed Sunbelt :red:

Might try this one http://www.pctools.com/firewall/

You may need to install Windows Installer 3.1
http://www.microsoft.com/downloads/details.aspx?FamilyID=889482FC-5F56-4A38-B838-DE776FD4138C&displaylang=en

Apprantly eedmonds is now Drewcat, a Freshman at MRU.

You going to change his user name here. :crowned:

Im a *her* lol

I used totally different info here because at the time I was rootkit'd so I dont know if you change it but it wont match mail wise and stuff. I used a mail Ill never use again.

If I come back here I will make a proper account under my same name at MRU.

Thanks and I guess you can close this.

Im a *her* lol
Thanks and I guess you can close this.

Should have known from all the typing :oops:

See you around. :bigthumb:

Communication is sort of important when youre trying to have someone help you fix your computer.

Might be a small thing such as MSI patch error that causes someone to tell me my windows updates are in need.

I was merely trying to help you help me.