Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Zlob-x.a


  • This topic is locked This topic is locked
14 replies to this topic

#1 Vikeologist

Vikeologist

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 16 November 2007 - 07:34 PM

Everytime I open Internet Explorer i get a pop up saying a Security Alert. You are infected with the latest Trojan Zlob-x.a

I have tried all of the instructions in other posts for this problem, but none of them have worked. Thanks! Here is my log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:17 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AlienAutopsy\Test_BS.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\DIGStream\digstream.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startribune.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.alienware.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: LBLBQBQBBB7B7BBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
O1 - Hosts: BBBBBBBBBBBBBBBBBBBBBBBBBBB
O1 - Hosts: `M`M 
O1 - Hosts: 
O1 - Hosts: (J0(J00000000000000000000000000000 00000000000000000000000000000
O1 - Hosts: 000000000000000000000W0W00000
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AlienAutopsy] "C:\Program Files\AlienAutopsy\Test_BS.exe" -h
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [u34k3pR] exphlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.0\YTPro.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [f0vqRfd4j] eudfmsp.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.1.0.39/aces...s-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.9.4.22/slot...a-ob-assets.cab
O16 - DPF: All-Star Football Challenge by pogo - http://allstarfb2.pogo.com/applet-5.9.4.22...2-ob-assets.cab
O16 - DPF: Animal Ark by pogo - http://play03.pogo.com/applet-5.9.3.29/ani...l-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.1.1.21/back...n-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-8.0.6.49/blac...kjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.8.0.32/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.9.1.32/bowl...wling-en_US.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.1.0.39/vid...k-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.9.3.29/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.1.2.25/chec...s-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.8.0.32/ches...hess2-en_US.cab
O16 - DPF: ConferenceRoom Java Client - http://216.152.65.174:8000/java/cr.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.9.1.38/crib...bbage-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-6.7.3.30/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.4...g-ob-assets.cab
O16 - DPF: DigiChat Applet - http://host2.digichat.com/DigiChat/DigiCla...ignedClient.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.7.2.33/domi...omino-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.9.1.32/firs...lass2-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.5.28/supe...bingo-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.9.4.22/...k-ob-assets.cab
O16 - DPF: Hangman Hijinks by pogo - http://game1.pogo.com/applet-6.9.2.22/hang...ngman-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.5.1.31/harv...rvest-en_US.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.9.4.22/hea...s-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/pool...l-ob-assets.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-6.9.1.38/fancy/fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.5.1.31/jigs...igsaw-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.9.0.61/gin2/gin2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.9.1.38/keno/keno-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.9.0.61/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.1.0.39/mlsl...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.1.1.21/paig...w-ob-assets.cab
O16 - DPF: Pebble Beach 3 Hole Challenge by pogo - http://game1.pogo.com/applet-6.6.3.34/thre...ehole-en_US.cab
O16 - DPF: Pebble Beach Golf by pogo - http://game1.pogo.com/applet-6.6.3.34/pebb...ebble-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.8.0.25/peng...guins-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.9.2.22/wate...wheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.4.22/fl...r-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.1.4.22/popf...u-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.9.1.32/popp...zoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.2.32/popp...ppit2-en_US.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.3.29/pop...t-ob-assets.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.8.0.25/hots...treak-en_US.cab
O16 - DPF: Quick Shot by pogo - http://game4.pogo.com/applet-6.0.4.37/quic...t-ob-assets.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.9.2.33/squa...uares-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.4.4.34/ride...e-ob-assets.cab
O16 - DPF: Sawgrass Golf by pogo - http://game1.pogo.com/applet-6.6.3.34/sawg...grass-en_US.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.2.51/spad...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.9.1.32/spid...pider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/sque...s-ob-assets.cab
O16 - DPF: Stax by pogo - http://game1.pogo.com/applet-6.9.2.33/stax/stax-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.4.4.34/swee...r-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.0.32/swee...tooth-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.2.51/hold...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.9.1.32/peaks/peaks-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-6.1.0.39/turb...1-ob-assets.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.9.1.38/turb...rbo22-en_US.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Word Search Daily by pogo - http://game1.pogo.com/applet-8.0.5.30/word...earch-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.9.1.38/word...homp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.0.4.37/...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.1.3.28/word...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.9.3.29/worl...class-en_US.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://206.14.191.97/SnapfishUploader.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a...876921OneCC.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - https://www.svharbor.com/ereports/downloads...tall_a_stat.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://vikeologist.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.101.28.100/activex/AxisCamControl.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_6_0.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...soft/wtinst.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe

--
End of file - 19137 bytes

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 17 November 2007 - 01:19 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1, and press Enter.
A text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

I'd also like to now what files are being flagged as infected.
Thanks
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Vikeologist

Vikeologist
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 17 November 2007 - 01:27 PM

SmitFraudFix v2.253

Scan done at 12:26:48.12, Sat 11/17/2007
Run from C:\Documents and Settings\Brian McKeen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\AlienAutopsy\Test_BS.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Brian McKeen


C:\Documents and Settings\Brian McKeen\Application Data


Start Menu


C:\DOCUME~1\BRIANM~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: D-Link DFE-530TX+ PCI Fast Ethernet Adapter (rev.F) - Packet Scheduler Miniport
DNS Server Search Order: 67.50.135.146
DNS Server Search Order: 66.133.150.12

Description: D-Link DFE-530TX+ PCI Fast Ethernet Adapter (rev.F) - Packet Scheduler Miniport
DNS Server Search Order: 67.50.135.146
DNS Server Search Order: 66.133.150.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12


Scanning for wininet.dll infection


End



then i did option #5. Search and Clean DNS...not sure if that is what you meant by which files are being flagged as infected.


SmitFraudFix v2.253

Scan done at 12:33:12.85, Sat 11/17/2007
Run from C:\Documents and Settings\Brian McKeen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

DNS Before Fix

Description: D-Link DFE-530TX+ PCI Fast Ethernet Adapter (rev.F) - Packet Scheduler Miniport
DNS Server Search Order: 67.50.135.146
DNS Server Search Order: 66.133.150.12

Description: D-Link DFE-530TX+ PCI Fast Ethernet Adapter (rev.F) - Packet Scheduler Miniport
DNS Server Search Order: 67.50.135.146
DNS Server Search Order: 66.133.150.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12

DNS After Fix

Description: D-Link DFE-530TX+ PCI Fast Ethernet Adapter (rev.F) - Packet Scheduler Miniport
DNS Server Search Order: 67.50.135.146
DNS Server Search Order: 66.133.150.12

Description: D-Link DFE-530TX+ PCI Fast Ethernet Adapter (rev.F) - Packet Scheduler Miniport
DNS Server Search Order: 67.50.135.146
DNS Server Search Order: 66.133.150.12

HKLM\SYSTEM\CCS\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{029AD9CD-238C-4A45-B46E-274B261E0BDF}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1165A8C2-E8E9-45D0-B96E-078B25D6D639}: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=67.50.135.146 66.133.150.12

Edited by Vikeologist, 17 November 2007 - 01:36 PM.


#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 17 November 2007 - 05:40 PM

You didn't answer my question: What files are being flagged as infected?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 Vikeologist

Vikeologist
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 17 November 2007 - 09:44 PM

sorry i didnt really understand what you meant....

I didnt see anything saying any files were infected...the only thing that came up was the notepad with the SmitFraudFix report that i copied and pasted in my previous reply.

Sorry

Maybe there isnt a way to get rid of this...maybe ill just have to buy a new computer. This sucks.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 18 November 2007 - 02:54 PM

Hi there, don't give up on me yet.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [u34k3pR] exphlpr.exe
O4 - HKCU\..\Run: [f0vqRfd4j] eudfmsp.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...soft/wtinst.cab


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following file (if present):

C:\WINDOWS\system32\PowerVideo.dll

Navigate to Start | Search | All files and folders.
Expand More advanced options, check 'Search system folders', 'Search hidden files and folders' and 'Search subfolders'.
Paste this into the All or part of the file name box:exphlpr.exe
eudfmsp.exe

Then click Search.
If you find any examples of these, please remove them.

Reboot into Normal Mode again.

I'd like a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 Vikeologist

Vikeologist
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 18 November 2007 - 06:44 PM

Hi there...thanks for continuing to help me. Before you replied I saw a post about IE Defender. I remembered seeing that when i searched on google.com When i searched for something and hit search, my results were hijacked. I also got an error under the 2nd search result saying Google Error. You are infected...something along those lines...

I followed the instructions in this link:

http://www.bleepingcomputer.com/forums/t/114240/how-to-remove-ie-defender-removal-instructions/

After i did that, the pop up no longer came up, and my search results on google were no longer hijacked. I want my computer completely cleaned, so i followed your last instructions...

Also, can i hide those files and folders again, because i have files on my desktop now that werent there before, they are system files it says.

Here is my latest Log...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:46 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\AlienAutopsy\Test_BS.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Paltalk Messenger\paltalk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startribune.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.alienware.com/
O1 - Hosts: LBLBQBQBBB7B7BBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
O1 - Hosts: BBBBBBBBBBBBBBBBBBBBBBBBBBB
O1 - Hosts: `M`M 
O1 - Hosts: 
O1 - Hosts: (J0(J00000000000000000000000000000 00000000000000000000000000000
O1 - Hosts: 000000000000000000000W0W00000
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AlienAutopsy] "C:\Program Files\AlienAutopsy\Test_BS.exe" -h
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Digital Asphyxia\Y!TunnelPro 2.0\YTPro.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PalTalk.lnk = C:\Program Files\Paltalk Messenger\paltalk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.1.0.39/aces...s-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.9.4.22/slot...a-ob-assets.cab
O16 - DPF: All-Star Football Challenge by pogo - http://allstarfb2.pogo.com/applet-5.9.4.22...2-ob-assets.cab
O16 - DPF: Animal Ark by pogo - http://play03.pogo.com/applet-5.9.3.29/ani...l-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.1.1.21/back...n-ob-assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-8.0.6.49/blac...kjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.8.0.32/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.9.1.32/bowl...wling-en_US.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.1.0.39/vid...k-ob-assets.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.9.3.29/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.1.2.25/chec...s-ob-assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.8.0.32/ches...hess2-en_US.cab
O16 - DPF: ConferenceRoom Java Client - http://216.152.65.174:8000/java/cr.cab
O16 - DPF: Cribbage by pogo - http://game1.pogo.com/applet-6.9.1.38/crib...bbage-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-6.7.3.30/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.4...g-ob-assets.cab
O16 - DPF: DigiChat Applet - http://host2.digichat.com/DigiChat/DigiCla...ignedClient.cab
O16 - DPF: Dominoes by pogo - http://game1.pogo.com/applet-6.7.2.33/domi...omino-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.9.1.32/firs...lass2-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.5.28/supe...bingo-en_US.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.9.4.22/...k-ob-assets.cab
O16 - DPF: Hangman Hijinks by pogo - http://game1.pogo.com/applet-6.9.2.22/hang...ngman-en_US.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.5.1.31/harv...rvest-en_US.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.9.4.22/hea...s-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/pool...l-ob-assets.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-6.9.1.38/fancy/fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.5.1.31/jigs...igsaw-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-6.9.0.61/gin2/gin2-en_US.cab
O16 - DPF: Keno by pogo - http://game1.pogo.com/applet-6.9.1.38/keno/keno-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.9.0.61/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.1.0.39/mlsl...s-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.1.1.21/paig...w-ob-assets.cab
O16 - DPF: Pebble Beach 3 Hole Challenge by pogo - http://game1.pogo.com/applet-6.6.3.34/thre...ehole-en_US.cab
O16 - DPF: Pebble Beach Golf by pogo - http://game1.pogo.com/applet-6.6.3.34/pebb...ebble-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.8.0.25/peng...guins-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.9.2.22/wate...wheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.4.22/fl...r-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.1.4.22/popf...u-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.9.1.32/popp...zoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.2.32/popp...ppit2-en_US.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.3.29/pop...t-ob-assets.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.8.0.25/hots...treak-en_US.cab
O16 - DPF: Quick Shot by pogo - http://game4.pogo.com/applet-6.0.4.37/quic...t-ob-assets.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.9.2.33/squa...uares-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.4.4.34/ride...e-ob-assets.cab
O16 - DPF: Sawgrass Golf by pogo - http://game1.pogo.com/applet-6.6.3.34/sawg...grass-en_US.cab
O16 - DPF: Spades by pogo - http://game1.pogo.com/applet-6.2.2.51/spad...s-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.9.1.32/spid...pider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/sque...s-ob-assets.cab
O16 - DPF: Stax by pogo - http://game1.pogo.com/applet-6.9.2.33/stax/stax-en_US.cab
O16 - DPF: Stellar Sweeper by pogo - http://game1.pogo.com/applet-6.4.4.34/swee...r-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.0.32/swee...tooth-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.2.51/hold...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.9.1.32/peaks/peaks-en_US.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-6.1.0.39/turb...1-ob-assets.cab
O16 - DPF: Turbo 21 v2 by pogo - http://game1.pogo.com/applet-6.9.1.38/turb...rbo22-en_US.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Word Search Daily by pogo - http://game1.pogo.com/applet-8.0.5.30/word...earch-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.9.1.38/word...homp2-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.0.4.37/...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.1.3.28/word...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.9.3.29/worl...class-en_US.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v45/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://206.14.191.97/SnapfishUploader.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - https://as00.estara.com/UI/proxyhttps.php?a...876921OneCC.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7DD62E58-5FA8-11D2-AFB7-00104B64F126} (Sview Control) - https://www.svharbor.com/ereports/downloads...tall_a_stat.cab
O16 - DPF: {82B56B47-90DC-4F58-9A7D-D27BA46D3C0F} (MyPhotoAlbum Easy Upload Tool Combo Control) - http://vikeologist.myphotoalbum.com/ImageUploader4.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.101.28.100/activex/AxisCamControl.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_6_0.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co....cab?10,0,910,0
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe

--
End of file - 18290 bytes

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 19 November 2007 - 05:37 PM

Navigate to Start | Run and paste the following into the box:notepad C:\WINDOWS\system32\Drivers\Etc\Hosts
Then click OK.
A Notepad window will open; I'd like to see its contents in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 Vikeologist

Vikeologist
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 19 November 2007 - 06:28 PM

127.0.0.1 advertising.paltalk.com
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
LBLBQBQBBB7B7BBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBB
`M`M 

(J0(J00000000000000000000000000000 00000000000000000000000000000
000000000000000000000W0W00000
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 20 November 2007 - 04:18 PM

Hello there,
Scan again with HijackThis and put a checkmark next to the following entry (if present):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please download HostsXpert from here
Unzip HostsXpert.zip
Open HostsXpert.exe
Then click on "Restore Microsoft's Host File", followed by OK at the prompt.
Close the program when complete.

Reboot your computer: IMPORTANT.

Next, run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

In your reply I would like to see the Panda log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Vikeologist

Vikeologist
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 20 November 2007 - 07:45 PM

Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@247realmedia[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@advertising[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@bluestreak[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@go[3].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@landing.domainsponsor[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@linksynergy[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@searchportal.information[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@statcounter[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@tribalfusion[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@www.myaffiliateprogram[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@xiti[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Brian McKeen\Cookies\brian_mckeen@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brian McKeen\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Brian McKeen\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Brian McKeen\Desktop\SmitfraudFix\restart.exe
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{023019D7-4AEE-48C0-866A-6714732BB055}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{07863349-6055-4553-B6AA-7B207EB0AA1D}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1826797C-4AE8-442D-AB12-BD7F2CF7E25F}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{239F495D-D0C9-4581-A35F-8085C59AE307}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{267BFBB6-AE1E-48FB-A090-91D81B764668}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{27339923-DC38-48C3-B800-9A7A5E747440}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{49B95BB2-4094-4169-92A3-1D38544B963C}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{58730024-444A-4B47-B1EC-947C06B8AA4A}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{6E1E1F95-CBCF-47DF-AACD-F096330AEB6B}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{705CBE0E-8A59-49C2-851B-412F6F099635}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{78A121FB-6349-4B71-AA66-095879D98926}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{83FA39A4-5916-42CA-BB30-12C1A08EAA9D}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8714C2C5-A727-420E-8779-3C127700DEC4}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{8C60C525-D6D3-4B8E-BCC3-18D7AF24DFE0}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A8EBE6CB-6B36-4436-B1CC-2683AF765CDF}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AAE82176-3EDD-4D19-8F8A-7635CDA3C7CB}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{C65856E8-D4AE-499D-A376-6F398CFCFD76}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{D6BBD2C1-9B44-4955-A79E-979EF86F4C97}
Virus:Trj/Qhost.Y Disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E895562D-B863-4048-A69F-829FF31D9987}
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Temp\Cookies\brian mckeen@go[2].txt
Spyware:Cookie/web-stat Not disinfected C:\Documents and Settings\Brian McKeen\Local Settings\Temp\Cookies\brian mckeen@www.web-stat[2].txt
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe[setup_td.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe[SaveInstCm.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe[apropos_client_loader.exe]
Adware:Adware/IEDriver Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe[setup_td.exe]
Adware:Adware/SaveNow Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe[SaveInstCm.exe]
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe[apropos_client_loader.exe]
Spyware:Spyware/MyNetProtector Not disinfected C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
Spyware:Spyware/MyNetProtector Not disinfected C:\Program Files\MNPAntiPopup\mod_upd.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\inf\flashtlk.inf
Virus:Trj/Downloader.L Disinfected C:\WINDOWS\inf\susp.inf
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts.msn
Spyware:Spyware/MyNetProtector Not disinfected C:\WINDOWS\system32\MNPAPUninstall.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 22 November 2007 - 02:38 AM

The files below need deleting - use Safe Mode if necessary:

C:\Program Files\MNPAntiPopup
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\inf\flashtlk.inf
C:\WINDOWS\system32\MNPAPUninstall.exe

Then let me know how things are running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Vikeologist

Vikeologist
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 22 November 2007 - 07:16 AM

First off...Happy Thanksgiving to you and your family, and thank you so much for helping me with this problem..

Its a lot better. No more pop up and search hijacks. I do have several questions for you though...


1) Can i hide all those files again that you had me un-hide? because on my desktop there are system files showing now.

2) Can I delete all the programs that i had to download to fix this problem?

3) What is the best program to use to prevent virus, spyware, and malware?

4) Was this trojan zlob-x.a a serious threat? Was there anything on my computer that you saw that was serious? Any security risks?

Also is my computer completely clean now from what you can see?


Thanks again and I look forward to your reply!

Edited by Vikeologist, 22 November 2007 - 07:19 AM.


#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 22 November 2007 - 04:24 PM

First off...Happy Thanksgiving to you and your family, and thank you so much for helping me with this problem..

And to you too! :thumbsup:

1) Can i hide all those files again that you had me un-hide? because on my desktop there are system files showing now.

Yes, you can. Here are some instructions if you're unsure:
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

2) Can I delete all the programs that i had to download to fix this problem?

Yes, you can.

3) What is the best program to use to prevent virus, spyware, and malware?

There is no definitive answer to this question; there are hundreds of different programmes out there that remove malware, with different levels of effectiveness. There are however a few that I personally use and can therefore reccommend to you:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place. This contains some more useful and interesting information about preventing this kind of infection returning in the future.

4) Was this trojan zlob-x.a a serious threat? Was there anything on my computer that you saw that was serious? Any security risks?

Trojan zlob is a very common infection, and as such does not prove to be a great risk to your personal safety. With adequate protection and a prompt removal, this type of malware should cause no long-term problems.

Also is my computer completely clean now from what you can see?

Yes, all of the logs coming back look clean to me. Good job! :blink:
One final thing I suggest you do is to navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 07 December 2007 - 03:07 PM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users