winfixer and wupd problems

[edo]

Sorry to be back so soon, but some nasty stuff appeared on my computer again.
I'll get straight to the point with the panda scan and the HJT log.
Panda results:
[Incident Status Location

Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA5PNetInstaller.exe
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\AdTools Service
Adware:adware/transponder Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kathryn D\Cookies\kathryn d@ad.yieldmanager[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\qd1538.tmp[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\qd1538.tmp[52168016]
Spyware:Cookie/FastClick Not disinfected C:\qd1538.tmp[]
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWAS5LP_0001_0811NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5RS_0001_0808NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWAS5LP_0001_0811NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5RS_0001_0808NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWAS5LP_0001_0811NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5RS_0001_0808NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWAS5LP_0001_0811NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5RS_0001_0808NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5RS_0001_0808NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5RS_0001_0808NetInstaller.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5RS_0001_0808NetInstaller.exe
]


And the HJT log:
[Logfile of HijackThis v1.99.1
Scan saved at 3:57:02 AM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kathryn D\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

]
I have seen mainly winfixer and I also saw a mention of surfsidekick in adware but i think that got it out.
I scanned with Ad-aware and Spybot search and destroy and a registry check and also a Webroot spysweeper scan and ran Cleanup! set to clean recycle bin, cooking, prefetch files and cleanup all users so far what do I do next?
Thanks,

Edo

[tetonbob]

Looks like you've done most of the work.

Is SpySweeper a trial version? If so, it will time out eventually (14 days, usually), and you won't be able to use it again unless you buy it beforehand. (which isn't a bad idea...it's really worth the $) Ewido is a great all-purpose anti-malware scanner to add to one's arsenal, and it can be updated indefinitely, free. Let's run a couple more scans, to make sure you got it all.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies

Download IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

Download SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

Download Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.


Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 /u occache.dll

Delete these files/folders if present:


C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA5PNetInstaller.exe
C:\PROGRAM FILES\AdTools Service
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWAS5LP_0001_0811NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5RS_0001_0808NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWAS5LP_0001_0811NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5RS_0001_0808NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWAS5LP_0001_0811NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5RS_0001_0808NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWAS5LP_0001_0811NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5RS_0001_0808NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5RS_0001_0808NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5RS_0001_0808NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5RS_0001_0808NetInstaller.exe

Go to Start>Run then copy and paste, or type the following, then press Enter:

regsvr32 occache.dll

Restart and run a new HijackThis scan. Save the log file and post it here.

Run this online scan:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

To install Kaspersky's ActiveX controls if there are problems installing them:

In Internet Explorer, go to Tools>Internet Options>Security Tab>Custom Level Button

Under Download Unsigned ActiveX controls, click Prompt.

You should then be able to download Kaspersky's ActiveX controls and AV database in preparation for the scan.

Once the scan is complete, reset the ActiveX setting to Disable.

So, please return with results from:

Ewido
HJT
Kaspersky

[edo]

ewido:
[---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:34:50 PM, 2/14/2006
+ Report-Checksum: F17AA444

+ Scan result:

HKLM\SOFTWARE\Classes\WinStatX.Installer -> Adware.WinTaskAd : Cleaned with backup
HKLM\SOFTWARE\Classes\WinStatX.Installer\CLSID -> Adware.WinTaskAd : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
:mozilla.12:C:\qd1538.tmp -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.13:C:\qd1538.tmp -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\qd1538.tmp -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.15:C:\qd1538.tmp -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.16:C:\qd1538.tmp -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.17:C:\qd1538.tmp -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.28:C:\qd1538.tmp -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.29:C:\qd1538.tmp -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.30:C:\qd1538.tmp -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.53:C:\qd1538.tmp -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.60:C:\qd1538.tmp -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.89:C:\qd1538.tmp -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.90:C:\qd1538.tmp -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.91:C:\qd1538.tmp -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.99:C:\qd1538.tmp -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.100:C:\qd1538.tmp -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.101:C:\qd1538.tmp -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.104:C:\qd1538.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.105:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.106:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.107:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.108:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.109:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.110:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.114:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.115:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.116:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.117:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.118:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.119:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.120:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.121:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.122:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.123:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.124:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.125:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.135:C:\qd1538.tmp -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.136:C:\qd1538.tmp -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.137:C:\qd1538.tmp -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.142:C:\qd1538.tmp -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.168:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.169:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.170:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.171:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.172:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.173:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.174:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.175:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.177:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.178:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.182:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.183:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.184:C:\qd1538.tmp -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.188:C:\qd1538.tmp -> TrackingCookie.Overture : Cleaned with backup
:mozilla.189:C:\qd1538.tmp -> TrackingCookie.Overture : Cleaned with backup
:mozilla.195:C:\qd1538.tmp -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.205:C:\qd1538.tmp -> TrackingCookie.Com : Cleaned with backup
:mozilla.206:C:\qd1538.tmp -> TrackingCookie.Com : Cleaned with backup
:mozilla.210:C:\qd1538.tmp -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.222:C:\qd1538.tmp -> TrackingCookie.Dbbsrv : Cleaned with backup
:mozilla.237:C:\qd1538.tmp -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.238:C:\qd1538.tmp -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.239:C:\qd1538.tmp -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.240:C:\qd1538.tmp -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.241:C:\qd1538.tmp -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.242:C:\qd1538.tmp -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.243:C:\qd1538.tmp -> TrackingCookie.Commission-junction : Cleaned with backup
:mozilla.256:C:\qd1538.tmp -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.257:C:\qd1538.tmp -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.265:C:\qd1538.tmp -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.270:C:\qd1538.tmp -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP865\A0110236.sys -> Rootkit.Agent.af : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWAS5LP_0001_0811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWAS5LP_0001_0811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWAS5LP_0001_0811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWAS5LP_0001_0811NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5RS_0001_0808NetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.c : Cleaned with backup
C:\WINDOWS\invitessk.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\offerssk.exe -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\system32\gebcy.dll -> Trojan.Crypt.o : Cleaned with backup


::Report End]


Hjt:
[Logfile of HijackThis v1.99.1
Scan saved at 12:37:11 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kathryn D\My Documents\hijackthis\HijackThis.exe
C:\Documents and Settings\Kathryn D\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

]


Kaspersky:
[-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, February 14, 2006 12:38:16
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/02/2006
Kaspersky Anti-Virus database records: 176635
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 95755
Number of viruses found: 7
Number of infected objects: 17
Number of suspicious objects: 2
Duration of the scan process: 4578 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFixer6.zip/UWFX5_0001_LPNetInstaller.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFixer6.zip Suspicious: Password-protected-EXE
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWAS5LP_0001_0811NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5RS_0001_0808NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWAS5LP_0001_0811NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5RS_0001_0808NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWAS5LP_0001_0811NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5RS_0001_0808NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWAS5LP_0001_0811NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.d
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5RS_0001_0808NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5RS_0001_0808NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5RS_0001_0808NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5RS_0001_0808NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\WINDOWS\Downloaded Program Files\UWA5PNetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.e
C:\WINDOWS\invitessk.exe/offerssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\WINDOWS\invitessk.exe/ssk.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\invitessk.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\offerssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\WINDOWS\system32\gebcy.dll Infected: Trojan.Win32.Crypt.o

Scan process completed.
]

That's weird, I didn't see those conflict.1 etc in windows folder when I Looked for them to remove them!

[tetonbob]

What's stranger is that Ewido says it removed them, and yet Kaspersky says they are still there.

Did you follow all the instructions for unhiding Dowloaded Program Files folders? It is required at times to use those commands from the Run box.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

When files found by other scanners are in the Recovery directory inside the Spybot-S&D directory, it is only a backup. It is no longer of any harm there, as the file won't be loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge the files.

--------------------------------------------------------------------------------------------

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt

--------------------------------------------------------------------------------------------

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

--------------------------------------------------------------------------------------------

Download KillBox


Launch KillBox.exe & select the following options:

• delete on Reboot

Highlight all the filenames below & then right-click & select Copy

• 
  C:\WINDOWS\invitessk.exe
  C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinFixer6.zip
  C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWAS5LP_0001_0811NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5RS_0001_0808NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWAS5LP_0001_0811NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5RS_0001_0808NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWAS5LP_0001_0811NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWFX5RS_0001_0808NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWAS5LP_0001_0811NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5RS_0001_0808NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWFX5RS_0001_0808NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWFX5RS_0001_0808NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWFX5RS_0001_0808NetInstaller.exe
  C:\WINDOWS\Downloaded Program Files\UWA5PNetInstaller.exe
  C:\WINDOWS\offerssk.exe
  C:\WINDOWS\system32\gebcy.dll
  

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

--------------------------------------------------------------------------------------------

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

--------------------------------------------------------------------------------------------


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

--------------------------------------------------------------------------------------------

Also run the Kapsersky online scan again.

Please return with results from:

VundoFix
Aproposfix
HJT
Kaspersky

[edo]

Whatever I do, Vundofix won't re-open.
I had an old version whoch I put in the trash, but after that I restarted it, it just won't reopen.
And I don't even know what a vundo is :S

[tetonbob]

It is a name of an infection, and there is a file onboard indicating it's possible presence.

You are checking the box which says run as task, right?

Try one more time, however, this time do not Click OK when that box appears. A new, third box should open within a minute or so...don't do anything until that happens (unless it takes more than 2 minutes, then just close it or ignore it and move on with the rest of the fix)

When the new box opens, you will then have 3 small windows open. Now Click OK. Two windows shall disappear. In the remaining window, click Scan for Vundo, and them follow the rest of the instructions.

[edo]

vundofix: no entries
aproposfix:
[Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Kathryn D\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
]
kaspersky: [-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 16, 2006 00:11:50
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/02/2006
Kaspersky Anti-Virus database records: 176979
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 96460
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 5718 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110394.exe/offerssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110394.exe/ssk.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110394.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110395.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110396.dll Infected: Trojan.Win32.Crypt.o

Scan process completed.
]
hjt:
[Logfile of HijackThis v1.99.1
Scan saved at 12:13:36 AM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kathryn D\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

]

[edo]

Oops thought I did something wrong and did not post, ignore this please.





vundofix: no entries found
aproposfix:
[Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Kathryn D\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
]
kaspersky:
[-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 16, 2006 00:11:50
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/02/2006
Kaspersky Anti-Virus database records: 176979
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 96460
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 5718 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110394.exe/offerssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110394.exe/ssk.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110394.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110395.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s
C:\System Volume Information\_restore{336E79D3-900A-44E8-B3C3-ADC8D7EE9D6F}\RP866\A0110396.dll Infected: Trojan.Win32.Crypt.o

Scan process completed.
]
Hjt:
[Logfile of HijackThis v1.99.1
Scan saved at 12:13:36 AM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kathryn D\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

]

[tetonbob]

Well done.

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - copy/paste or type control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Now, something important must be done to help protect your system against future infections.

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:

• Avast!
• AVG

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

Download IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

Download SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

Post a new HJT log.

How is your system behaving now, please?

[edo]

Ok, the system is running pretty good now.
I already have zome alarm and webroot spysweeper installed, would that suffice?
I already did the IeSpyad thing in step 1 or 2.
I also already have installed Spyware blaster, I'll put it on enable protection on.
I'll do those other things but here's the Hjt again first.
[Logfile of HijackThis v1.99.1
Scan saved at 8:27:18 PM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kathryn D\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

]

[tetonbob]

Neither of those products is an Anti-Virus program. On today's internet, you need several layers of protection. A firewall is one. An Anti-Spyware program (SpySweeper) is another. IESpyad, SpywareBlaster and the MVPS host file are another layer to help prevent spyware and malware cookies from installing.

You MUST have an Anti-Virus program installed, updated, and active in real time, or you're just asking for future infections and we've wasted our efforts here. This may be one reason why you're back so soon after being cleaned up recently.

Here you had Norton.

Here you also had Norton.

Now, you have no AV protection. I cannot emphasise enough that this is unacceptable on today's internet. Please choose and install an AV product now.

Also, please be more cautious about the sites you visit and what you click on. You've been cleaned here 3 times in the last 6 months.

We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
• AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.