PDA

View Full Version : Unable to remove zlob.dnschanger and burstnet.


Limozine
2007-11-12, 03:27
Hi,

I'm so far unable to completely remove zlob.dnschanger and burstnet from my computer. Spybot keeps detecting the zlob but hasn't been able to remove it. Here's what I've done so far:

1) Run Spybot scan and clean numerous times.
2) Run Kaspersky online scan.
3) Run Fixwareout.exe.
4) Run roguefix.
5) Scanned with HJT.

Here's the Kaspersky results log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 2:07:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 456002
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
W:\

Scan Statistics:
Total number of scanned objects: 308464
Number of viruses found: 11
Number of infected objects: 46
Number of suspicious objects: 0
Duration of the scan process: 04:27:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03c1391ea6909ff1012833235d592c7b_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1ef77a34a0c8ee04907ecf721ccfb310_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\217d5af2f6ab10fa7f43d7dedd12240b_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\31360a6a90d89e742e381442a9849887_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\33c4589edb55a92a3377830e934614c3_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3721b63bed2920721a79925d33eb787c_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3af42a2edda8e56dae92efa231e64708_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\47f43e7e919f5a7c0e11c7ca23c530c1_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\55bd4324ca9da027723532b2563bf7de_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\72ffe01f6836f82a8ef02b207dadd0dc_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\768ff03707fa65e9bc15b06224f09c8e_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\786b2446aa8e6e50770f4238cf025494_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\99da4a2deafb913ed3f6daf7367cb7c4_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa49bbc79516dee4db891d057688a29f_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b11ea927d3bb952250a3d6f49bda709c_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bfa7724e407eb4ecc5cc5ec6985aa85a_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c7187936b834aaa04dd1cfebb20c28e8_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cc759392e6ee85cb6a5ebd0514868751_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e28b11462de1c87f982f0bd6841796d3_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e60c4c861e02c5f53ccecb42fc49f888_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e893450c9f4e55de295b817e4fb20aba_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ed7df0ecd58e9ad3fef1e7c9bd4073f6_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ff597bd9eb46a21c2425f9d1121af867_c1aff602-128f-44e8-97b1-b783ba54b724 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Application Data\SpamBayes\Proxy\hammie.db Object is locked skipped
C:\Documents and Settings\Michael\Application Data\SpamBayes\Proxy\spambayes.messageinfo.db Object is locked skipped
C:\Documents and Settings\Michael\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\Michael\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Bank of America" <noreply@bankofamerica.com>][Date Fri, 28 Sep 2007 12:33:12 -0300]/html Infected: Trojan-Spy.HTML.Bankfraud.tk skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "ASFLEX." <nasser@yahoo.com>][Date Wed, 25 Jul 2007 01:10:32 +0200]/UNNAMED/DC/DC 09.JPG.scr Infected: Trojan-Downloader.Win32.Small.eyf skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "ASFLEX." <nasser@yahoo.com>][Date Wed, 25 Jul 2007 01:10:32 +0200]/UNNAMED/DC Infected: Trojan-Downloader.Win32.Small.eyf skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "ASFLEX." <nasser@yahoo.com>][Date Wed, 25 Jul 2007 01:10:32 +0200]/UNNAMED Infected: Trojan-Downloader.Win32.Small.eyf skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Velma Michael" <lucja.daniell@neuimmo.com>][Date Wed, 8 Aug 2007 10:21:21 -0100]/UNNAMED/game.zip/Game.exe Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Velma Michael" <lucja.daniell@neuimmo.com>][Date Wed, 8 Aug 2007 10:21:21 -0100]/UNNAMED/game.zip Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Velma Michael" <lucja.daniell@neuimmo.com>][Date Wed, 8 Aug 2007 10:21:21 -0100]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Sophia Bowles" <marlena.dautrich@up.net>][Date Mon, 13 Aug 2007 05:29:23 -0100]/UNNAMED/LGame.zip/LGame/lgame.exe Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Sophia Bowles" <marlena.dautrich@up.net>][Date Mon, 13 Aug 2007 05:29:23 -0100]/UNNAMED/LGame.zip Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Sophia Bowles" <marlena.dautrich@up.net>][Date Mon, 13 Aug 2007 05:29:23 -0100]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Willis Seay" <teofilo.davidson@jesper.dk>][Date Mon, 20 Aug 2007 15:35:07 -0100]/UNNAMED/game.zip/game.exe Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Willis Seay" <teofilo.davidson@jesper.dk>][Date Mon, 20 Aug 2007 15:35:07 -0100]/UNNAMED/game.zip Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx/[From "Willis Seay" <teofilo.davidson@jesper.dk>][Date Mon, 20 Aug 2007 15:35:07 -0100]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Identities\{DF56823E-91B0-413F-9D8A-85CEB3BE9F2E}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 13 skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temp\SpamBayesServer1.log Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temp\~DFA579.tmp Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temp\~DFAB50.tmp Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\My Documents\Anytime\morning.ATW Object is locked skipped
C:\Documents and Settings\Michael\My Documents\Bible Reading\mike.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Michael\My Documents\Bible Reading\mike.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\Michael\My Documents\Bible Reading\mike.exe UPX: infected - 1 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\privacy_patrol_free.exe/file8 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\privacy_patrol_free.exe Inno: infected - 1 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\RevelationV2.zip/SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\RevelationV2.zip/SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\RevelationV2.zip/SetupRevelationV2.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\RevelationV2.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Michael\My Documents\Downloaded Programs\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
C:\Documents and Settings\Michael\My Documents\HelpDesk\help.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Michael\My Documents\HelpDesk\help.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\Michael\My Documents\HelpDesk\help.exe UPX: infected - 1 skipped
C:\Documents and Settings\Michael\My Documents\USB Backup\Password Recovery\mailpv.exe Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\Documents and Settings\Michael\My Documents\USB Backup\Password Recovery\SetupRevelationV2.exe/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Michael\My Documents\USB Backup\Password Recovery\SetupRevelationV2.exe/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Documents and Settings\Michael\My Documents\USB Backup\Password Recovery\SetupRevelationV2.exe WiseSFX: infected - 2 skipped
C:\Documents and Settings\Michael\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\SnadBoy's Revelation v2\Revelation.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Program Files\SnadBoy's Revelation v2\RevelationHelper.dll Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 skipped
C:\Program Files\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP404\A0046074.exe/data0001 Infected: Trojan.Win32.DNSChanger.qb skipped
C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP404\A0046074.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4DF7BEB3-E3D2-473C-B32D-682F2CA7D884}\RP404\change.log Object is locked skipped
C:\Web Sites\Aartek\mike.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Web Sites\Aartek\mike.exe 7-Zip: infected - 1 skipped
C:\Web Sites\Aartek\mike.exe UPX: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9E6798FF-C8D9-417F-BEE9-0411D207736F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
W:\Aartek\mike.exe/vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
W:\Aartek\mike.exe 7-Zip: infected - 1 skipped
W:\Aartek\mike.exe UPX: infected - 1 skipped

Scan process completed.
Limozine
2007-11-12, 03:28
HJT Log:

Now the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:13 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\SpamBayes\bin\sb_tray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AnyTime Deluxe\ATW.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Michael\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2006\\Parser.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.5.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194645385031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{148B6D3A-EF7A-400C-AC7D-3CD28DF2AFA9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{21764379-553B-4C5F-B6C7-766CD61C7170}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC6A9FEB-CA85-4A0C-B234-9E49037B211F}: NameServer = 85.255.114.87,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECC5C334-2807-4F50-9335-DE8165945B1D}: NameServer = 85.255.114.87,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{148B6D3A-EF7A-400C-AC7D-3CD28DF2AFA9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

--
End of file - 12394 bytes
Mr_JAk3
2007-11-15, 21:53
Hi Limozine and welcome to the forums :)

You're infected. Sorry for the delay...

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
tashi
2007-11-25, 05:27
This topic has been archived due to inactivity.

As it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.