Zlob DNA Changer

[Gerry Hiles]

Hi folks,

I have overviewed previous Zlob threads and cannot find a solution to this very persistent pest, so I'll submit my own spin on things.

OK: I usually run Spybot only every few weeks, because I usually do not have any real problems.

Maybe 8-10 weeks ago I ran Spybot and it came up with a couple of minor things, plus two registry entries for something new, i.e. Zlob.

These were (and remain):

Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win ...

And:

TCP/IPSettings #1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSettings

These remain present because after I deleted and ran Spybot again a few weeks later, there they were again.

During the last couple of weeks I have run Spybot several times and always with the same result ... but at least Spybot picks up Zlob, whereas McAfee and Wndows Defender do not.

Anyone who watches a scan run must be seriously mentally challenged - because it is like watching grass grow - but I took the trouble to watch past the point at which Spybot first picks Zlob (late in the scan) and several instances appear, e.g. including video instances. (At least it seems that I have only two instances, so I suppose I am lucky.)

People who do not have Spybot would not have a clue that they are infected. Someone "out there" is being very deviously clever!

Anyhow I've done everything I could safely think of doing to remove this pest (I am not confident to alter the registry) so here is my log from kasperski and over to you good folks at Spybot:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 29, 2007 4:04:50 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/08/2007
Kaspersky Anti-Virus database records: 393925


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 108058
Number of viruses found 2
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 05:17:29

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{68B6DB39-27B3-4A81-8B54-30D4250D1DB4}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D46FC31D-F51B-45E1-AF34-014C04828DD0}.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12112006-083819.log Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\MSN6\UserData\{BD97A95C-5FED-01C4-0300-00007D27DBEA}\favthumb.dbx Object is locked skipped

C:\Documents and Settings\Owner\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\hiles69@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\hiles69@msn.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\hiles69@msn.com\SharingMetadata\Working\database_2AC0_C055_C0C0_2941\dfsr.db Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\hiles69@msn.com\SharingMetadata\Working\database_2AC0_C055_C0C0_2941\fsr.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\hiles69@msn.com\SharingMetadata\Working\database_2AC0_C055_C0C0_2941\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\hiles69@msn.com\SharingMetadata\Working\database_2AC0_C055_C0C0_2941\tmp.edb Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\MSN\db\hiles69-msn-com.sdf Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{414F3299-6D54-44E4-AA74-E6FA290B3D28} Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\hiles69@msn.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\hiles69@msn.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007082820070829\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\fdr4408.fdr Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d08.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF7C8F.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF7CBB.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFA24F.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFA262.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\PhishingFilter\10278502-67BC-43EF-B0AA-BBF67795D5B0.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Downloads\3DUltraMiniGolf_SE-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\Downloads\ee2_update_en_100-110_120-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\Downloads\ToygolfSetup-dm[1].exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped

C:\Program Files\MSN\MSNCoreFiles\calendar.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\mail.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\market.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\market16.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\miadv.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\mibas.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\micd.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\printing.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\qos.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\themedef.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\themedef16.mar Object is locked skipped

C:\Program Files\MSN\MSNCoreFiles\ui.mar Object is locked skipped

C:\Program Files\MSN\MsnInstaller\install.mar Object is locked skipped

C:\RECYCLER\S-1-5-21-299502267-507921405-1801674531-1003\Dc1\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{D7D49BD4-CBCD-4FC3-A6EB-E9BB7A2F68A8}\RP1225\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{B24E612E-6711-40BB-A24F-316C490D8A8E}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped

C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\mcafee_CXm0SU27BduzTmt Object is locked skipped

C:\WINDOWS\Temp\mcafee_jFKezKDUzCd5GBp Object is locked skipped

C:\WINDOWS\Temp\mcafee_ZqtPWbSspQAJ53H Object is locked skipped

C:\WINDOWS\Temp\mcmsc_6c4JdkCZ8YDLLWo Object is locked skipped

C:\WINDOWS\Temp\mcmsc_7q7ZIZqCClgZVf5 Object is locked skipped

C:\WINDOWS\Temp\mcmsc_8cQXpq7Hk3dKzBj Object is locked skipped

C:\WINDOWS\Temp\mcmsc_eC2Vh2PgvIV5UsK Object is locked skipped

C:\WINDOWS\Temp\mcmsc_tjTmu6bVQaNmhMI Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_814.dat Object is locked skipped

C:\WINDOWS\Temp\sqlite_5YfX7GRsqVzuKUR Object is locked skipped

C:\WINDOWS\Temp\sqlite_ByvQJWchTDlvuR1 Object is locked skipped

C:\WINDOWS\Temp\sqlite_gPh9vxBzSp0eZMs Object is locked skipped

C:\WINDOWS\Temp\sqlite_HmmmAiI9dxcG9iu Object is locked skipped

C:\WINDOWS\Temp\sqlite_jVZEZrkHzjGp47X Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[tashi]

Hello.

Could you please post the HJT log also, so that one of our helpers can take a look when available.

Previous topic: http://forums.spybot.info/showthread.php?t=17303

Thanks.

[Gerry Hiles]

Thanks Tashi, here is my HJT scan result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:49 PM, on 29/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\TuneUp Utilities 2004\MemOptimizer.exe
C:\Program Files\Utech Computer Solutions\World Time 2006\WorldTime.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\System & Internet Washer\cseraser.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\System & Internet Washer\pkext.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - (no file)
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: System & Internet Washer.lnk = C:\Program Files\System & Internet Washer\cseraser.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: System & Internet Washer - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\System & Internet Washer\cseraser.exe (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Stone%20of%20Destiny/Images/stg_drm.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186913693265
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames...o.cab55579.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775F} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlabsli.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Stone%20of%20Destiny/Images/armhelper.ocx
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A17958E-26BE-4BD0-9B57-2B3143E85BDE}: NameServer = 85.255.115.69 85.255.112.128
O23 - Service: McAfee Application Installer Cleanup (0054601188220489) (0054601188220489mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\005460~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield_OLD\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7939 bytes

[Gerry Hiles]

Is it possbble for me to obtain a log file from Spybot?

It might be useful if I can.

[Gerry Hiles]

I have been searching around the Spybot site and found a way by which to submit results of a scan ... which I have just done.

I am astounded by the number of infections I have ... it never used to be like this:

InternetWasher: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System & Internet Washer Pro_is1

Zlob.DNSChanger: TCP/IP Settings #1 (Undefined) (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8A17958E-26BE-4BD0-9B57-2B3143E85BDE}\NameServer=208.67.220.220,208.67.222.222

Zlob.DNSChanger: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\kdid

Advertising.com: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Statcounter: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Zedo: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Excite: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


WebTrends live: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


Excite: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-02-12 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-08-29 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-08-29 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-08-29 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-08-29 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-08-29 Includes\Malware.sbi (*)
2007-08-29 Includes\MalwareC.sbi (*)
2007-08-29 Includes\PUPS.sbi (*)
2007-08-29 Includes\PUPSC.sbi (*)
2007-08-29 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-08-29 Includes\SecurityC.sbi (*)
2007-08-01 Includes\Spybots.sbi (*)
2007-08-29 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-08-29 Includes\Trojans.sbi (*)
2007-08-29 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

[Gerry Hiles]

Since submitting the log, I have tried to delete entries.

I will scan again and see what did not get deleted.

[tashi]

Hello.

It appears you missed our forum sticky topic:
"BEFORE you POST"(READ this Procedure before Requesting Assistance)

I responded to your post in the Spybot-S&D forum:http://forums.spybot.info/showthread.php?p=115586

Someone will assist you here as soon as available.

[tashi]

We do have this sticky topic:
The Waiting Room: Post here if waiting for help longer than four days

However if members waiting for assistance do not post there, their topic is archived after seven days.

If you need the thread re-opened, please send me a private message (pm) and provide a link.