Hello,
I've been dealing with this dreadful zlob virus for a few days now not only on this computer but also trying to clean a friends computer up as well so any help will be greatly appreciated. I have already tried the suggestions from trend micro to remove this which I thought had worked until I rescanned using bitdefender last night. My main startup page for internet explorer is not the hijackthis.exe anymore just in case you may want to comment on that. I did that so it would go directly to that page only since it says in the posts here to try and limit internet browsing until the virus problem is fixed(I use blank page now).

Here are the results of the two scans asked for in your "Before you post" thread.


BitDefender Online Scanner


Scan report generated at: Sat, Oct 28, 2006 - 03:16:18


Scan path: A:\;C:\;D:\;E:\;


Statistics

Time
01:13:08

Files
166002

Folders
4186

Boot Sectors
2

Archives
1146

Packed Files
9131


Results

Identified Viruses
3

Infected Files
26

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
26


Engines Info

Virus Definitions
479279

Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins
13

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1


Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\joshua\Local Settings\Temp\laf42.tmp
Infected with: Trojan.FakeAlert.DJ

C:\Documents and Settings\joshua\Local Settings\Temp\laf42.tmp
Disinfection failed

C:\Documents and Settings\joshua\Local Settings\Temp\laf42.tmp
Deleted

C:\Documents and Settings\joshua\Local Settings\Temp\lafAC.tmp
Detected with: Adware.SafetyAlerter.A

C:\Documents and Settings\joshua\Local Settings\Temp\lafAC.tmp
Disinfection failed

C:\Documents and Settings\joshua\Local Settings\Temp\lafAC.tmp
Deleted

C:\Documents and Settings\joshua\Local Settings\Temp\lafB.tmp
Infected with: Trojan.FakeAlert.DJ

C:\Documents and Settings\joshua\Local Settings\Temp\lafB.tmp
Disinfection failed

C:\Documents and Settings\joshua\Local Settings\Temp\lafB.tmp
Deleted

C:\Program Files\MMediaCodec\isaddon.dll
Infected with: Trojan.Zlob.EN

C:\Program Files\MMediaCodec\isaddon.dll
Disinfection failed

C:\Program Files\MMediaCodec\isaddon.dll
Deleted

C:\Program Files\MMediaCodec\isamini.exe
Infected with: Trojan.Zlob.EN

C:\Program Files\MMediaCodec\isamini.exe
Disinfection failed

C:\Program Files\MMediaCodec\isamini.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP1\A0000005.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP1\A0000005.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP1\A0000005.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP1\A0000006.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP1\A0000006.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP1\A0000006.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP12\A0004118.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP12\A0004118.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP12\A0004118.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP12\A0004119.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP12\A0004119.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP12\A0004119.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP16\A0005117.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP16\A0005117.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP16\A0005117.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP16\A0005118.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP16\A0005118.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP16\A0005118.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP2\A0001509.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP2\A0001509.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP2\A0001509.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP2\A0001510.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP2\A0001510.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP2\A0001510.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP28\A0005229.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP28\A0005229.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP28\A0005229.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP28\A0005230.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP28\A0005230.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP28\A0005230.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP31\A0005248.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP31\A0005248.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP31\A0005248.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP31\A0005249.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP31\A0005249.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP31\A0005249.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP32\A0005255.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP32\A0005255.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP32\A0005255.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP32\A0005256.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP32\A0005256.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP32\A0005256.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0001569.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0001569.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0001569.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0001570.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0001570.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0001570.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0003478.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0003478.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0003478.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0003479.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0003479.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP4\A0003479.exe
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP44\A0005615.dll
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP44\A0005615.dll
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP44\A0005615.dll
Deleted

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP44\A0005616.exe
Infected with: Trojan.Zlob.EN

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP44\A0005616.exe
Disinfection failed

C:\System Volume Information\_restore{8A1CD7EC-8FAB-4B5E-B12D-7E0D833AD491}\RP44\A0005616.exe
Deleted

C:\WINDOWS\system32\gqagksr.dll
Detected with: Adware.SafetyAlerter.A

C:\WINDOWS\system32\gqagksr.dll
Disinfection failed

C:\WINDOWS\system32\gqagksr.dll
Deleted




Logfile of HijackThis v1.99.1
Scan saved at 3:59:32 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.merijn.org/files/HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O3 - Toolbar: (no name) - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - (no file)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmessg.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmessg.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://forum.cheatengine.org
O15 - Trusted Zone: http://www.cheatengine.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_components/control/activex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101w.bay101.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144730355707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144730348837
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)

Hi

Your hijackthis log is virtualy clean ...

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


O3 - Toolbar: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O3 - Toolbar: (no name) - {44d22a64-2399-4edf-8b32-f2c729c1e8a7} - (no file)


Then run these 2 programs please :-

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and post the contents in your next post here...

THEN...

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix untill it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

steam

Thanks for the reply. I guess I was worried more than I should have been. That zlob just scared me a bit. Here is the scan reports you asked for. Vundofix didnt find anything so I will not have a report from them.

SmitFraudFix v2.117

Scan done at 15:54:56.54, Mon 10/30/2006
Run from C:\Documents and Settings\joshua\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\joshua


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\joshua\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\joshua\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\MMediaCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

HI

1. Reboot into >>>safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file in your next post here... + a new hijackthis log.

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

steam

hello again. Here are the scans you asked for.

SmitFraudFix v2.117

Scan done at 13:30:25.79, Tue 10/31/2006
Run from C:\Documents and Settings\joshua\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\MMediaCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




Logfile of HijackThis v1.99.1
Scan saved at 5:04:43 PM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmessg.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmessg.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://forum.cheatengine.org
O15 - Trusted Zone: http://www.cheatengine.org
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20060912/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_components/control/activex/TmHcmsX.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101w.bay101.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144730355707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144730348837
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)

Hi

Just fix this with hijackthis and your logs are clean...

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

One other thing ... you have entries in your trusted sites ... I strongly advise against having any sites in the trusted zone, unless that is the only way they will work & they are totally trustworthy ... putting a site in trusted zone, is like giving someone the keys to your home, and then going on holiday...

steam

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help, thank you steam.