Trojan.Zlob

[King_Unique]

A week ago my system was infected by the Trojan.Zlob virus. This was first picked up by my anti-virus and anti-spyware software and was brought to my attention as “Trojan/Dloader.32.zlob” and also “Trojan/Generic.zlob”.

Initially I had the more noticeable symptoms of this virus e.g.; The fake anti-virus/spyware pop-ups, the 7.1 Security toolbar at the top of my browser, and the constant changing of my homepage.

Further to this I disabled my system restore and tried removal via my antivirus & spyware software. I have also used Microsoft’s Malicious Software removal tool and the Smitfraudfix programme.

This has helped rectify the more noticeable problems which I have stated however I am certain that remnants of this infection still remain.

One of the main problems that I am still experiencing is that my internet connection has reduced significantly and I have feeling that this infection my still be running in the background and causing further damage.

I have followed each of the required steps in order to provide you with the below information. However, when running the DSS programme I was not given the extra.txt file for me to attach to this post.

If you require any further information then please let me know. Your assistance in rectifying this problem would be most appreciated.


Hijack This Log


Deckard's System Scanner v20071014.68
Run by user1 on 2007-11-25 14:44:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 88% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as user1.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:25, on 25/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Wireless\RF Keyboard\1.0\ZPKBDLED.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Slim Multimedia Keyboard\OSD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user1\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\ctbr.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\ctbr.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZPLED] C:\Program Files\Wireless\RF Keyboard\1.0\ZPKBDLED.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.topsoftwarefeed.com/redirect.php (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3DE44C07-DF3B-479D-8043-A6E73BECA92E} (GoalSecureAssessment.GoalControl) - http://www.goalsci.com/OCX2005/Nov20...Assessment.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1190202656593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1190202646453
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\ctbr.dll
O22 - SharedTaskScheduler: haeckel - {8373a2e0-bdd0-42bd-b4ec-ba5451eb6607} - C:\WINDOWS\system32\moywh.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE (file missing)
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

--
End of file - 7846 bytes

-- Files created between 2007-10-25 and 2007-11-25 -----------------------------

2007-11-22 22:34:11 0 d-------- C:\Program Files\Trend Micro
2007-11-22 21:53:15 0 d-------- C:\Program Files\SpywareBlaster
2007-11-22 20:42:53 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-20 18:29:23 0 d-------- C:\Documents and Settings\user1\Contacts
2007-11-20 18:22:12 0 d-------- C:\Program Files\MSN Messenger
2007-11-17 19:49:00 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 19:48:25 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-17 19:48:25 0 d-------- C:\Documents and Settings\user1\Application Data\SUPERAntiSpyware.com
2007-11-17 19:28:33 3328 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-17 19:27:44 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-17 19:27:43 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-17 19:27:41 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-17 19:27:39 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-17 19:27:36 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-11-17 00:40:49 0 d-------- C:\quarantine
2007-11-12 00:26:43 0 d-------- C:\Documents and Settings\user1\Application Data\vlc
2007-11-12 00:23:27 0 d-------- C:\Program Files\VideoLAN
2007-11-11 12:51:15 0 d-------- C:\Documents and Settings\user1\Application Data\SopCast
2007-11-11 12:50:51 0 d-------- C:\Program Files\SopCast
2007-11-01 22:05:12 0 d-------- C:\Documents and Settings\user1\Application Data\Help
2007-11-01 22:02:47 0 d-------- C:\Program Files\MasterSplitter
2007-10-30 18:23:15 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-10-29 22:18:58 0 d-------- C:\WINDOWS\Sun
2007-10-29 22:18:58 0 d-------- C:\Documents and Settings\user1\Application Data\Sun
2007-10-29 22:08:53 0 d-------- C:\Program Files\Java
2007-10-29 22:06:20 0 d-------- C:\Program Files\Common Files\Java


-- Find3M Report ---------------------------------------------------------------

2007-11-25 14:08:10 0 d-------- C:\Documents and Settings\user1\Application Data\Spyware Terminator
2007-11-25 14:08:06 0 d-------- C:\Program Files\Spyware Terminator
2007-11-25 13:14:12 0 d-------- C:\Program Files\Crawler
2007-11-22 21:21:17 0 d-------- C:\Program Files\Slim Multimedia Keyboard
2007-11-22 21:20:48 0 d-------- C:\Program Files\QuickTime
2007-11-19 17:21:49 0 d-------- C:\Program Files\Common Files
2007-11-17 00:40:44 0 --a-s---- C:\WINDOWS\system32\moywh.dll
2007-11-07 20:10:28 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-29 22:18:38 1277 --a------ C:\WINDOWS\mozver.dat
2007-10-15 20:01:44 0 d-------- C:\Documents and Settings\user1\Application Data\Comodo
2007-10-15 19:58:19 0 d-------- C:\Program Files\Comodo
2007-10-10 19:08:01 0 d-------- C:\Documents and Settings\user1\Application Data\Real
2007-10-10 19:04:50 0 d-------- C:\Program Files\Common Files\xing shared
2007-10-10 19:04:42 0 d-------- C:\Program Files\Real
2007-10-10 19:04:10 0 d-------- C:\Program Files\Common Files\Real
2007-10-09 06:09:19 0 d-------- C:\Documents and Settings\user1\Application Data\WinRAR
2007-10-04 17:58:05 0 d-------- C:\Documents and Settings\user1\Application Data\SecondLife
2007-10-04 17:50:31 0 d-------- C:\Documents and Settings\user1\Application Data\Mozilla
2007-10-02 16:17:21 0 d-------- C:\Documents and Settings\user1\Application Data\Talkback
2007-10-02 16:16:58 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-27 21:01:05 0 d-------- C:\Program Files\blueyonder IST
2007-09-27 18:37:35 0 d-------- C:\Program Files\Motive
2007-09-27 18:37:08 0 d-------- C:\Program Files\Common Files\Motive


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [19/10/2005 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [19/10/2005 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [27/04/2007 08:41]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06/08/2004 02:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/2003 08:48]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 02:06]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [09/12/2005 19:29]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [27/09/2007 19:18]
"ZPLED"="C:\Program Files\Wireless\RF Keyboard\1.0\ZPKBDLED.exe" [21/02/2006 06:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/10/2007 19:03]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [15/10/2007 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
blueyonder Instant Support Tool.lnk - C:\Program Files\blueyonder IST\bin\matcli.exe [27/09/2007 18:37:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 00:01:04]
Slim Multimedia Keyboard.lnk - C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe [24/09/2002 01:42:15]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8373a2e0-bdd0-42bd-b4ec-ba5451eb6607}"= C:\WINDOWS\system32\moywh.dll [17/11/2007 00:40 0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-11-25 14:45:08
------------

[King_Unique]

BUMP

I would be grateful for any assistance in removing this infection.

Thankyou..

[forhockey]

Hi and welcome to TSF.

Sorry for the delay in looking into your log, as we are extremely busy as you may have noticed. If you still require assistance, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

--------------------------------------------------------------

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply

--------------------------------------------------------------

Since you already have SmitFraudFix... I would like you to do the following:

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Do not run option #2 unless instructed to!!

--------------------------------------------------------------

Generate an Uninstall List

• Open HijackThis. (should be user1.exe on your desktop)
• Click on the "Configure" button on the bottom right.
• Click on the tab "Misc Tools".
• Click on the Box that says "Open Uninstall Manager".
• Click on the button "Save list"

Please save a copy and paste the contents with your next reply.

--------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
SmitFraudFix Report
Uninstall List

[King_Unique]

Hi,

Thanks for getting back to me. Please see below information as requested:


Combofix Report

ComboFix 07-11-29.2 - user1 2007-11-28 22:30:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.228 [GMT 0:00]
Running from: C:\Documents and Settings\user1\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-25 02:23 . 2007-11-25 02:23 268 --ah----- C:\sqmdata08.sqm
2007-11-25 02:23 . 2007-11-25 02:23 244 --ah----- C:\sqmnoopt08.sqm
2007-11-23 12:55 . 2007-11-23 12:55 268 --ah----- C:\sqmdata07.sqm
2007-11-23 12:55 . 2007-11-23 12:55 244 --ah----- C:\sqmnoopt07.sqm
2007-11-23 02:01 . 2007-11-23 02:01 268 --ah----- C:\sqmdata06.sqm
2007-11-23 02:01 . 2007-11-23 02:01 244 --ah----- C:\sqmnoopt06.sqm
2007-11-22 22:34 . 2007-11-22 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 22:16 . 2007-11-22 22:16 <DIR> d-------- C:\Deckard
2007-11-22 21:53 . 2007-11-22 21:58 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-11-22 20:43 . 2007-11-22 20:43 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-22 20:42 . 2007-11-22 21:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-22 17:26 . 2007-11-22 17:26 268 --ah----- C:\sqmdata05.sqm
2007-11-22 17:26 . 2007-11-22 17:26 244 --ah----- C:\sqmnoopt05.sqm
2007-11-21 22:34 . 2007-11-21 22:34 268 --ah----- C:\sqmdata04.sqm
2007-11-21 22:34 . 2007-11-21 22:34 244 --ah----- C:\sqmnoopt04.sqm
2007-11-21 08:04 . 2007-11-21 08:04 268 --ah----- C:\sqmdata03.sqm
2007-11-21 08:04 . 2007-11-21 08:04 244 --ah----- C:\sqmnoopt03.sqm
2007-11-20 22:53 . 2007-11-20 22:53 268 --ah----- C:\sqmdata02.sqm
2007-11-20 22:53 . 2007-11-20 22:53 244 --ah----- C:\sqmnoopt02.sqm
2007-11-20 21:03 . 2007-11-20 21:03 268 --ah----- C:\sqmdata01.sqm
2007-11-20 21:03 . 2007-11-20 21:03 244 --ah----- C:\sqmnoopt01.sqm
2007-11-20 20:51 . 2007-11-20 20:51 268 --ah----- C:\sqmdata00.sqm
2007-11-20 20:51 . 2007-11-20 20:51 244 --ah----- C:\sqmnoopt00.sqm
2007-11-20 18:29 . 2007-11-25 17:37 <DIR> d-------- C:\Documents and Settings\user1\Contacts
2007-11-20 18:22 . 2007-11-22 21:19 <DIR> d-------- C:\Program Files\MSN Messenger
2007-11-17 19:49 . 2007-11-17 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 19:48 . 2007-11-19 17:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-17 19:48 . 2007-11-17 19:48 <DIR> d-------- C:\Documents and Settings\user1\Application Data\SUPERAntiSpyware.com
2007-11-17 19:28 . 2007-11-20 21:47 3,328 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-17 19:27 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-17 19:27 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-17 00:40 . 2007-11-17 00:40 <DIR> d-------- C:\quarantine
2007-11-12 00:26 . 2007-11-12 00:26 <DIR> d-------- C:\Documents and Settings\user1\Application Data\vlc
2007-11-12 00:23 . 2007-11-12 00:23 <DIR> d-------- C:\Program Files\VideoLAN
2007-11-11 12:51 . 2007-11-11 12:52 <DIR> d-------- C:\Documents and Settings\user1\Application Data\SopCast
2007-11-11 12:50 . 2007-11-11 12:51 <DIR> d-------- C:\Program Files\SopCast
2007-11-10 18:02 . 2007-07-09 13:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-01 22:02 . 2007-11-01 22:05 <DIR> d-------- C:\Program Files\MasterSplitter
2007-10-31 23:48 . 2007-11-17 22:55 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-10-31 23:48 . 2007-10-31 23:48 1,409 --a------ C:\WINDOWS\QTFont.for
2007-10-30 18:23 . 2007-11-20 18:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-10-29 22:18 . 2007-10-29 22:18 <DIR> d-------- C:\WINDOWS\Sun
2007-10-29 22:08 . 2007-10-29 22:18 <DIR> d-------- C:\Program Files\Java
2007-10-29 22:06 . 2007-10-29 22:06 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 18:27 --------- d-----w C:\Program Files\Crawler
2007-11-27 17:01 --------- d-----w C:\Documents and Settings\user1\Application Data\Spyware Terminator
2007-11-26 22:23 --------- d-----w C:\Program Files\Spyware Terminator
2007-11-22 21:21 --------- d-----w C:\Program Files\Slim Multimedia Keyboard
2007-11-22 21:20 --------- d-----w C:\Program Files\QuickTime
2007-11-20 18:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-11-07 20:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-15 20:01 --------- d-----w C:\Documents and Settings\user1\Application Data\Comodo
2007-10-15 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-15 19:58 --------- d-----w C:\Program Files\Comodo
2007-10-10 19:04 --------- d-----w C:\Program Files\Real
2007-10-10 19:04 --------- d-----w C:\Program Files\Common Files\xing shared
2007-10-10 19:04 --------- d-----w C:\Program Files\Common Files\Real
2007-10-10 19:03 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-10 19:03 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-04 17:58 --------- d-----w C:\Documents and Settings\user1\Application Data\SecondLife
2007-10-02 16:17 --------- d-----w C:\Documents and Settings\user1\Application Data\Talkback
2007-09-30 21:51 --------- d-----w C:\Documents and Settings\Guest\Application Data\Spyware Terminator
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 07:59]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 07:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 08:48]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 19:29]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-09-27 19:18]
"ZPLED"="C:\Program Files\Wireless\RF Keyboard\1.0\ZPKBDLED.exe" [2006-02-21 06:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-10 19:03]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-10-15 19:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
blueyonder Instant Support Tool.lnk - C:\Program Files\blueyonder IST\bin\matcli.exe [2007-09-27 18:37:31]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
Slim Multimedia Keyboard.lnk - C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe [2002-09-24 01:42:15]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{8373a2e0-bdd0-42bd-b4ec-ba5451eb6607}"= C:\WINDOWS\system32\moywh.dll [2007-11-17 00:40 0]

R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\BIN\ONRSD.EXE

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 22:34:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 22:35:11
.
--- E O F ---

SmitFraudFix Report

SmitFraudFix v2.253

Scan done at 22:37:01.57, 29/11/2007
Run from C:\Documents and Settings\user1\My Documents\Downloaded Software\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Wireless\RF Keyboard\1.0\ZPKBDLED.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Slim Multimedia Keyboard\OSD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user1


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user1\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8373a2e0-bdd0-42bd-b4ec-ba5451eb6607}"="haeckel"

[HKEY_CLASSES_ROOT\CLSID\{8373a2e0-bdd0-42bd-b4ec-ba5451eb6607}\InProcServer32]
@="C:\WINDOWS\system32\moywh.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8373a2e0-bdd0-42bd-b4ec-ba5451eb6607}\InProcServer32]
@="C:\WINDOWS\system32\moywh.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/1000 MT Network Connection
DNS Server Search Order: 62.30.0.39
DNS Server Search Order: 195.188.53.175
DNS Server Search Order: 62.31.112.39

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3298EE87-1A43-4FAC-BE95-277912CB44AA}: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9BBC2007-B247-4E1D-A4F3-E0E8863FDEED}: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3298EE87-1A43-4FAC-BE95-277912CB44AA}: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9BBC2007-B247-4E1D-A4F3-E0E8863FDEED}: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3298EE87-1A43-4FAC-BE95-277912CB44AA}: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9BBC2007-B247-4E1D-A4F3-E0E8863FDEED}: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=62.30.0.39 195.188.53.175 62.31.112.39


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Uninstall List

Adobe Flash Player ActiveX
Adobe Reader 8.1.0
Adobe Shockwave Player
Adobe SVG Viewer
blueyonder Instant Support Tool
COMODO Firewall Pro
Compatibility Pack for the 2007 Office system
Crawler Toolbar with Web Security Guard
Dell ResourceCD
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Java Runtime Environment 1.1
Java(TM) 6 Update 3
Lernout & Hauspie TruVoice American English TTS Engine
MasterSplitter Program
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Mozilla Firefox (2.0.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Oracle JInitiator 1.3.1.9
Panda ActiveScan
PowerDVD 5.7
QuickTime
RealPlayer
RF Keyboard 1.0
Rhapsody Player Engine
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Slim Multimedia Keyboard
SopCast 1.1.2
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Spyware Terminator
SpywareBlaster v3.5.1
The Mix Collection Screensaver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6c
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip

[forhockey]

Hi King_Unique,

You did an excellent job at cleaning the infection. Lets do some cleanup work now.

--------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Spyware Terminator <-- This rogue ware program and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

More info on this program: http://www.spywarewarrior.com/rogue_...m#spyterm_note

---------------------------------------------------------------------------------------------

Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

--------------------------------------------------------------

Go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

--------------------------------------------------------------

1. Double-click on SmitfraudFix.exe to start the tool.
   
   
2. Select option #3 - Delete Trusted zone by typing 3 and press Enter
   
   
3. Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.
   
   Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

--------------------------------------------------------------

Delete the following Files indicated in RED:

C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe



Delete the following Folders indicated in BLUE

C:\Documents and Settings\user1\My Documents\Downloaded Software\SmitfraudFix

**** If you uninstalled Spyware Terminator, then delete the ones below ****

C:\Documents and Settings\user1\Application Data\Spyware Terminator
C:\Program Files\Spyware Terminator
C:\Documents and Settings\Guest\Application Data\Spyware Terminator
C:\Documents and Settings\All Users\Application Data\Spyware Terminator

--------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the results from the Panda Online Scan

[King_Unique]

Thanks Forhockey, I wasn't sure if I had removed the infection fully.

I have done as you have requested, however is was unable to locate and delete the following files:

C:\WINDOWS\system32\ VCCLSID.exe
C:\WINDOWS\system32\ WS2Fix.exe

Apart from that everything else has been done and I enclose the Panda Scan report for your information.

Also, now that I have uninstalled Spyware Terminator could you reccommend an alternative?

Panda ActiveScan Report

Incident Status Location

Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.com.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.overture.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\user1\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\user1\Cookies\user1@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\user1\Cookies\user1@adrevolver[2].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\user1\Cookies\user1@adviva[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user1\Cookies\user1@atdmt[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\user1\Cookies\user1@bravenet[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user1\Cookies\user1@bs.serving-sys[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user1\Cookies\user1@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user1\Cookies\user1@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\user1\Cookies\user1@go[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user1\Cookies\user1@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user1\Cookies\user1@serving-sys[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\user1\Cookies\user1@tradedoubler[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user1\Desktop\Zlob Removal\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user1\Desktop\Zlob Removal\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user1\Local Settings\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\Cache\7ED6F4AAd01[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\user1\Local Settings\Application Data\Mozilla\Firefox\Profiles\7k0pnie6.default\Cache\7ED6F4AAd01[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

[forhockey]

Hello,

Near the end I'll list some programs that I recommend. Lets one more online scan to make sure nothing is remaining on your system.


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[King_Unique]

Hi.

I have completed the Kaspersky Online Scanner and it has informed that I have one virus and three infected objects. Could these be part of my original trojan.zlob infection?

As the results of this scan were too large to post below I have uploaded it as an attachement.

Thanks again for your assistance...

[forhockey]

Hi King_Unique,

Kaspersky labeled one of the tools we used as a Risktool, so there is nothing to worry about.

A good replacement for Spyware Terminator would be AVG AntiSpyware.

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows Installation Files"

• Install AVG Anti Spyware
• Double-click the icon on Desktop to launch AVG
• On the main Status screen, under Your Computer's Security, click Resident Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Do Not Automatically generate report after every scan"

When you have finished updating, EXIT AVG Anti Spyware.


Well done, your logs are clean! There are just a few more things I would like you to do.


Go to Start > Run - type ComboFix /u

Click OK

----------------------------------------------------------------

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/cont...ticles/63.html
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
• SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

• Comodo Personal Firewall
• ZoneAlarm
• OutPost Firewall

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• PC SAFETY AND SECURITY
• How Did I Get Infected In The First Place?.
• THE ANTI-SPYWARE TUTORIAL
• STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

[King_Unique]

Hi Forhockey,

Thanks very much for your help, it really is appreciated. I will use the programmes that you have listed to hopefully prevent me getting an infection in the future.

I am now happy to bring this thread to a close and mark this issue as resolved.

[forhockey]

You're welcome. Safe surfing!!