ms-dos popups and security alert,computer is infected popup

[jkill2001]

Logfile of HijackThis v1.99.1
Scan saved at 6:45:46 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\America Online 9.0c\waol.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\America Online 9.0c\shellmon.exe
E:\WINDOWS\system32\nvctrl.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - E:\WINDOWS\system32\hp205E.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HostManager] E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudio] E:\WINDOWS\hda.exe
O4 - HKCU\..\Run: [AOL Fast Start] "E:\Program Files\America Online 9.0c\AOL.EXE" -b
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

[tetonbob]

Please download these additional files/programs. Do not run them unless instructed to do so.

smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

*Note* Alternate download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe
http://www.bleepingcomputer.com/file...ar/smitRem.exe

DelDomains.inf
Right-click and select Save Target As - save it to your desktop.

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

CleanUp!.exe - Install

Ad-aware - install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. One updated, and custom settings in place, Close Adaware.

Ewido Security Suite

• Install Ewido Security Suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customized my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next, reboot your computer in SafeMode :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run a scan with HiJackThis & place a check next to these items and select "Fix checked":

O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - E:\WINDOWS\system32\hp205E.tmp

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open Ad-aware and do a full scan. Remove all it finds.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Next go to Control Panel click Display>Desktop>Customize Desktop>Website>Uncheck and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Run a new scan with HJT, save the log and post it here.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are two very good free Antivirus products which are available:

• Avast!
• AVG

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.


In your next post, please provide results from:

• HiJackThis log
• Online scan
• Smitfiles.txt
• Ewido's log

[jkill2001]

Logfile of HijackThis v1.99.1
Scan saved at 12:19:39 AM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\America Online 9.0c\waol.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\America Online 9.0c\shellmon.exe
E:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HostManager] E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HDAudio] E:\WINDOWS\hda.exe
O4 - HKLM\..\Run: [SpyFalcon] E:\Program Files\SpyFalcon\SpyFalcon.exe /h
O4 - HKCU\..\Run: [AOL Fast Start] "E:\Program Files\America Online 9.0c\AOL.EXE" -b
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 04, 2006 00:17:59
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/03/2006
Kaspersky Anti-Virus database records: 169076
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 138510
Number of viruses found: 42
Number of infected objects: 110
Number of suspicious objects: 0
Duration of the scan process: 9622 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\drivers\etc\hosts Infected: Trojan.Win32.Qhost
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\32C43BD2d01 Infected: Trojan-Clicker.JS.Linker.h
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\6933A524d01 Infected: Trojan-Clicker.JS.Linker.h
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\794D1DF9d01 Infected: Trojan-Clicker.HTML.IFrame.b
E:\Documents and Settings\Jon\Desktop\hijackthis\backups\backup-20060302-120952-349.dll Infected: Trojan-Downloader.Win32.Zlob.ht
E:\Documents and Settings\Jon\Desktop\hijackthis\backups\backup-20060302-221736-612.dll Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP394\A0043966.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP403\A0044260.dll Infected: Trojan-Downloader.Win32.Agent.bc
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP403\A0044262.dll Infected: Trojan.Win32.StartPage.vh
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP403\A0044263.dll Infected: Trojan-Downloader.Win32.Agent.bc
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP403\A0044264.dll Infected: Trojan-Downloader.Win32.Agent.bc
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP403\A0044267.dll Infected: Trojan-Downloader.Win32.Agent.li
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP403\A0044270.dll Infected: Trojan-Downloader.Win32.Dyfuca.dt
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP403\A0044271.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP408\A0044346.exe Infected: Trojan-Downloader.Win32.Zlob.dl
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP408\A0044347.tlb Infected: Trojan-Downloader.Win32.Zlob.dl
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP408\A0044348.exe Infected: Trojan-Downloader.Win32.Zlob.bu
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP408\A0044352.dll Infected: Trojan-Downloader.Win32.Zlob.dp
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP408\A0044353.dll Infected: Trojan-Downloader.Win32.Zlob.dl
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP408\A0044354.dll Infected: Trojan-Downloader.Win32.Zlob.dl
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP409\A0044379.exe Infected: Trojan.Win32.Agent.il
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP409\A0044380.tlb Infected: Trojan-Downloader.Win32.Zlob.do
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP409\A0044381.exe Infected: Trojan-Downloader.Win32.Zlob.do
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP410\A0044389.exe Infected: Trojan.Win32.Agent.il
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP410\A0044390.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP413\A0044457.dll Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP413\A0044458.dll Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044515.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044689.exe Infected: Trojan-Downloader.Win32.Zlob.bu
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044690.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044691.exe Infected: Trojan-Downloader.Win32.Small.cca
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044718.exe Infected: Trojan.Win32.TopAntiSpyware.n
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044738.exe Infected: Trojan-Downloader.Win32.Swizzor.k
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044739.exe Infected: Trojan.Win32.Pakes
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044740.EXE Infected: Trojan-Dropper.Win32.SurfSide.a
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044743.dll Infected: Trojan-Downloader.Win32.WinShow.ak
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044744.exe Infected: Trojan-Downloader.Win32.Apropo.k
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044745.exe Infected: Trojan.Win32.Agent.bi
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044746.exe Infected: Trojan.Win32.Agent.bi
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044748.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044749.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044750.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044751.exe Infected: Trojan.Win32.Small.cy
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP414\A0044752.dll Infected: Trojan-Downloader.Win32.Dyfuca.dt
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044766.dll Infected: Trojan-Downloader.Win32.IstBar.nu
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044770.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044772.exe Infected: Trojan.Win32.Dialer.ay
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044774.EXE Infected: Trojan-Dropper.Win32.SurfSide.a
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044775.exe Infected: Trojan.Win32.Pakes
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044776.exe Infected: Trojan-Downloader.Win32.Swizzor.k
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044781.exe Infected: Trojan-Downloader.Win32.Apropo.l
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044782.dll Infected: Trojan-Downloader.Win32.Agent.br
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044786.exe Infected: Trojan.Win32.TopAntiSpyware.n
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044787.exe Infected: Trojan-Downloader.Win32.Apropo.k
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044788.ocx Infected: Trojan-Downloader.Win32.Agent.ex
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044789.exe Infected: Trojan-Downloader.Win32.Zlob.dm
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044790.exe Infected: Trojan-Downloader.Win32.Small.cca
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0044791.exe Infected: Trojan-Downloader.Win32.Zlob.bu
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0045146.dll Infected: Trojan-Downloader.Win32.Agent.br
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0045201.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0045235.dll Infected: Trojan-Downloader.Win32.Agent.br
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0045236.exe Infected: Trojan-Downloader.Win32.Zlob.dm
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0045237.dll Infected: not-virus:Hoax.Win32.Renos.ak
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0045246.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP415\A0045271.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP416\A0045304.dll Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP416\A0045305.dll Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP419\A0045381.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP422\A0045465.exe Infected: Trojan-Downloader.Win32.Small.ayl
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP423\A0045539.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP423\A0045556.dll Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045663.exe Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045664.exe Infected: Trojan-Downloader.Win32.Zlob.du
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045667.tlb Infected: Trojan-Downloader.Win32.Zlob.dr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045687.tlb Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045705.exe Infected: Trojan-Downloader.Win32.Zlob.fa
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045706.exe Infected: Trojan-Downloader.Win32.Zlob.fc
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045708.tlb Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045726.dll Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045727.dll Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP431\A0045728.dll Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP432\A0045751.tlb Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP434\A0046016.tlb Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP434\A0046228.tlb Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP434\A0046235.exe Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP434\A0046390.dll Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP434\A0046391.dll Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP434\A0046621.dll Infected: not-virus:Hoax.Win32.Renos.at
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP434\A0046623.tlb Infected: Trojan-Downloader.Win32.Zlob.ez
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP435\A0046668.exe/stream/data0001 Infected: Trojan.Win32.Pakes
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP435\A0046668.exe/stream Infected: Trojan.Win32.Pakes
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP435\A0046668.exe Infected: Trojan.Win32.Pakes
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP470\A0048378.exe/data0007 Infected: Trojan.Win32.Zapchast.az
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP470\A0048378.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.hr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP470\A0048378.exe Infected: Trojan-Downloader.Win32.Zlob.hr
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP470\A0048388.dll Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP471\A0048461.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP471\A0048625.exe Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP471\A0048630.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP471\A0048682.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP471\A0048711.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP472\A0048858.exe Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP472\A0048859.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP472\A0048910.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP473\A0048927.exe Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP473\A0048928.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP474\A0048972.tlb Infected: Trojan-Downloader.Win32.Zlob.ht
E:\System Volume Information\_restore{631B59A5-918D-4763-819A-7F38422A702A}\RP474\A0048974.exe Infected: Trojan-Downloader.Win32.Zlob.ht
E:\WINDOWS\system32\dfrgsrv.exe Infected: Trojan-Downloader.Win32.Zlob.hr
E:\WINDOWS\system32\dxmpp.dll Infected: not-virus:Hoax.Win32.Renos.bo

Scan process completed.


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 03/03/2006
The current time is: 18:28:17.26

Running from
E:\Documents and Settings\Jon\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}\InProcServer32]
@="E:\WINDOWS\system32\dxmpp.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 756 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"="Wheel Mouse Optical Driver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}\InProcServer32]
@="E:\WINDOWS\system32\dxmpp.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:15:46 PM, 3/3/2006
+ Report-Checksum: F09CA594

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
:mozilla.12:E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\anf1i2zq.les\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
E:\Documents and Settings\Jon\Cookies\jon@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
E:\Documents and Settings\Jon\Cookies\jon@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
E:\Documents and Settings\Jon\Cookies\jon@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
E:\Documents and Settings\Jon\Cookies\jon@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
E:\Documents and Settings\Jon\Cookies\jon@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup


::Report End


i still have the system infected popup and spy falcon but no more msdos pop up.

[sUBs]

Quote:

KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 04, 2006 00:17:59
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/03/2006
Kaspersky Anti-Virus database records: 169076
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard

You have performed the online scan without using the optimal settings. At the end of htis fix, Iwould require you to perform another Kaspersky scan using the settings I prescribed.


* * * * * *


Please read this post completely before begining the fix.

There is no antivirus program on this machine. Please download AVG Antivirus and update it's virus definitions. Also ensure that it's real time scanning engine is enabled
. We shall be using it in Safe Mode later

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

Host.zip - Extract the contents into it's own folder. Double click MVPS.bat & allow it to run.

Right click on this & select 'Save As' - DNSManual.bat
Double-click DNSManual.bat & allow it to run.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Right click on this & choose "Save As..." FixSF.reg - FixSF.reg
Double click on FixSF.reg & allow it to merge into the Registry

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)


* * * * * *


Launch FireFox & go to Tools > Options
Under the Privacy tab, click the clear cache button


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [HDAudio] E:\WINDOWS\hda.exe
O4 - HKLM\..\Run: [SpyFalcon] E:\Program Files\SpyFalcon\SpyFalcon.exe /h


* * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:

• delete on Reboot
• All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

• E:\WINDOWS\system32\dfrgsrv.exe
  E:\WINDOWS\system32\dxmpp.dll
  E:\WINDOWS\hda.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

• SpyFalcon

Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\Program Files\SpyFalcon\
  E:\Documents and Settings\Jon\Desktop\hijackthis\backups\backup-20060302-120952-349.dll
  E:\Documents and Settings\Jon\Desktop\hijackthis\backups\backup-20060302-221736-612.dll

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.


* * * * * *


Have AVG do a system wide scan & allow it to disinfect/delete ALL that it finds.
For any that it fais to do so, note down the file names & filepaths sothat you may let me know.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


This will clear the System Volume Information folder
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

• Tick on the checkbox - Turn off System Restore on all drives
• Click Apply

Turn it back 'On' by unticking the same checkbox & click OK


* * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh copies of:

• HiJackThis log
• Online scan

Let us know if any problems persist.

[jkill2001]

Logfile of HijackThis v1.99.1
Scan saved at 8:14:18 AM, on 3/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\America Online 9.0c\waol.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\America Online 9.0c\shellmon.exe
E:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HostManager] E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "E:\Program Files\America Online 9.0c\AOL.EXE" -b
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, March 04, 2006 08:13:38
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/03/2006
Kaspersky Anti-Virus database records: 180041
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 130736
Number of viruses found: 9
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 8656 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\drivers\etc\hosts Infected: Trojan.Win32.Qhost
C:\System Volume Information\_restore{E52F6E8C-4D5C-493E-9456-C80711178283}\RP31\A0003425.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\32C43BD2d01 Infected: Trojan-Clicker.JS.Linker.h
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\6933A524d01 Infected: Trojan-Clicker.JS.Linker.h
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\794D1DF9d01 Infected: Trojan-Clicker.HTML.IFrame.b
E:\Program Files\aim error ace\debug32.dll Infected: not-a-virus:AdWare.Win32.Lop
E:\WINDOWS\Downloaded Program Files\toolbar.dll Infected: not-a-virus:AdWare.Win32.Agent.k
E:\WINDOWS\system32\cacore.dll Infected: not-a-virus:AdWare.Win32.Couponage.a
E:\WINDOWS\system32\desktrf-667279.exe/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.b
E:\WINDOWS\system32\desktrf-667279.exe Infected: not-a-virus:AdWare.Win32.Beginto.b
E:\WINDOWS\system32\winb2s32.dll Infected: not-a-virus:AdWare.Win32.Ilookup.b
E:\WINDOWS\system32\winb2s33.dll Infected: not-a-virus:AdWare.Win32.Ilookup.b

Scan process completed.

[tetonbob]

You have yet to install an Anti-virus program. Without one, we are likely wasting our time here. Use one of the recommended links I gave you earlier to AVG or Avast, and install it now.

--------------------------------------

Clear the Firefox cache. Tools > Options > Privacy > Cache > Click on Clear.


--------------------------------------

Launch KillBox.exe & select the following options:

• delete on Reboot
• All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

• E:\Program Files\aim error ace\debug32.dll
  E:\WINDOWS\Downloaded Program Files\toolbar.dll
  E:\WINDOWS\system32\cacore.dll
  E:\WINDOWS\system32\desktrf-667279.exe
  E:\WINDOWS\system32\winb2s32.dll
  E:\WINDOWS\system32\winb2s33.dll

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.


--------------------------------------

Now delete this folder:

E:\Program Files\aim error ace

--------------------------------------

Click on the Start button & select Run
Type in tasks & click Ok
In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks'
Review all the tasks/jobs at hand. You should be able to recognise jobs that you have created yourself.
Delete hidden jobs that look like these:

• A034B7FF91BB36BB.job
  A06F1FEF91A49933.job
  A2C3205A93B8CDFA.job
  A36F645091B91BF0.job
  A42C6F7190EFE559.job

You can recognise them by the fact that they're hidden & have names that consist of 16 random letters.


--------------------------------------

Download fl.zip
Extract the contents to a new folder on your Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next replyDownload fl.zip
Extract the contents to a new folder on your Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply


--------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan


--------------------------------------

Run a new scan with HJT. Save the log and post it here.

How is your system behaving now please?

[jkill2001]

Logfile of HijackThis v1.99.1
Scan saved at 6:10:21 PM, on 3/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\America Online 9.0c\waol.exe
E:\Program Files\America Online 9.0c\shellmon.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\Grisoft\AVG Free\avgcc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Documents and Settings\Jon\Desktop\hijackthis\HijackThis.exe

O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - E:\WINDOWS\system32\gfurc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - E:\WINDOWS\system32\gfurc.dll
O4 - HKLM\..\Run: [HostManager] E:\Program Files\Common Files\AOL\1103770708\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AOL Fast Start] "E:\Program Files\America Online 9.0c\AOL.EXE" -b
O4 - HKCU\..\Run: [UnSpyPC] "E:\Program Files\UnSpyPC\UnSpyPC.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47474C52-F2EE-473C-9283-546A0B832899}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E7DA7E0-0DA6-44BF-BDDC-A99674E697B3}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BA718BC-F239-4F7F-9BAF-EBC7CFF1F80D}: NameServer = 85.255.116.171,85.255.112.228
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - E:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, March 05, 2006 18:09:43
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 5/03/2006
Kaspersky Anti-Virus database records: 180327
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 132015
Number of viruses found: 10
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 9216 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\drivers\etc\hosts Infected: Trojan.Win32.Qhost
C:\System Volume Information\_restore{E52F6E8C-4D5C-493E-9456-C80711178283}\RP31\A0003425.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\32C43BD2d01 Infected: Trojan-Clicker.JS.Linker.h
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\6933A524d01 Infected: Trojan-Clicker.JS.Linker.h
E:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\jon\Cache\794D1DF9d01 Infected: Trojan-Clicker.HTML.IFrame.b
E:\Program Files\aim error ace\debug32.dll Infected: not-a-virus:AdWare.Win32.Lop
E:\WINDOWS\Downloaded Program Files\toolbar.dll Infected: not-a-virus:AdWare.Win32.Agent.k
E:\WINDOWS\system32\cacore.dll Infected: not-a-virus:AdWare.Win32.Couponage.a
E:\WINDOWS\system32\desktrf-667279.exe/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.b
E:\WINDOWS\system32\desktrf-667279.exe Infected: not-a-virus:AdWare.Win32.Beginto.b
E:\WINDOWS\system32\gfurc.dll Infected: not-a-virus:AdWare.Win32.SBSoft.h
E:\WINDOWS\system32\winb2s32.dll Infected: not-a-virus:AdWare.Win32.Ilookup.b
E:\WINDOWS\system32\winb2s33.dll Infected: not-a-virus:AdWare.Win32.Ilookup.b

Scan process completed.

Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\Administrator\Application Data

11/02/2003 09:56 AM <DIR> Aim
08/25/2003 04:10 PM <DIR> Identities
09/30/2003 07:04 PM <DIR> MSN6
09/10/2003 10:14 PM <DIR> Sun
0 File(s) 0 bytes
4 Dir(s) 17,047,470,080 bytes free
Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\All Users\Application Data

11/03/2005 08:04 PM <DIR> Adobe
12/02/2005 09:17 PM <DIR> AOL
12/02/2005 08:40 PM <DIR> AOL Downloads
12/19/2005 10:26 PM <DIR> Apple Computer
09/06/2005 10:56 PM <DIR> Autodesk
03/05/2006 09:14 AM <DIR> avg7
03/05/2006 09:13 AM <DIR> Grisoft
10/12/2004 11:18 PM <DIR> Macrovision
10/22/2004 05:06 PM <DIR> McAfee.com
09/30/2003 07:03 PM <DIR> MSN6
02/10/2004 06:17 PM <DIR> NFS Underground
07/07/2004 11:46 PM <DIR> Pure Networks
02/19/2006 11:34 PM 1,387 QTSBandwidthCache
02/29/2004 06:03 PM <DIR> QuickTime
01/03/2006 01:25 AM <DIR> SecTaskMan
02/17/2006 09:35 PM <DIR> Spybot - Search & Destroy
01/21/2006 11:55 AM <DIR> Symantec
09/19/2005 09:35 PM <DIR> Trymedia
12/19/2004 05:43 PM <DIR> Viewpoint
11/08/2005 12:03 AM <DIR> Yahoo! Companion
1 File(s) 1,387 bytes
19 Dir(s) 17,047,453,696 bytes free
Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\fran\Application Data

12/27/2003 10:46 PM <DIR> Adobe
12/17/2004 06:03 PM <DIR> Aim
11/10/2005 05:21 PM <DIR> AOL
11/20/2003 07:59 PM <DIR> Help
11/20/2003 07:58 PM <DIR> Identities
12/17/2004 06:03 PM <DIR> InterMute
12/26/2003 08:55 AM <DIR> Macromedia
08/12/2004 07:14 AM <DIR> Mozilla
12/23/2003 11:06 PM <DIR> Sun
08/12/2004 07:14 AM <DIR> Talkback
0 File(s) 0 bytes
10 Dir(s) 17,047,453,696 bytes free
Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\Guest\Application Data

04/03/2004 07:38 AM <DIR> Identities
0 File(s) 0 bytes
1 Dir(s) 17,047,453,696 bytes free
Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\Jon\Application Data

03/05/2006 09:13 AM <DIR> .
03/05/2006 09:13 AM <DIR> ..
12/02/2005 08:48 PM <DIR> acccore
01/04/2004 03:41 PM <DIR> ACD Systems
01/04/2004 03:42 PM <DIR> ACDInTouch
11/03/2005 08:04 PM <DIR> Adobe
12/07/2005 11:23 PM <DIR> AdobeUM
11/19/2004 08:16 PM <DIR> Aim
08/01/2005 08:15 PM <DIR> Alibre Design
12/02/2005 08:46 PM <DIR> AOL
01/04/2006 06:47 PM <DIR> Apple Computer
02/25/2005 07:36 PM <DIR> Autodesk
03/05/2006 09:13 AM <DIR> AVG7
06/12/2004 08:00 PM <DIR> Creative
09/20/2005 08:28 PM <DIR> Google
02/27/2004 12:11 AM <DIR> Help
11/21/2003 09:21 PM <DIR> Identities
03/17/2004 02:24 PM <DIR> Kazaa Lite
12/30/2004 12:05 AM <DIR> Keyhole
05/08/2004 10:39 PM <DIR> Lycos
06/12/2004 07:49 PM <DIR> Macromedia
08/05/2004 08:35 AM <DIR> Mozilla
07/02/2004 12:00 PM <DIR> NetMedia Providers
08/16/2004 12:40 AM <DIR> oreu
04/21/2005 07:24 PM <DIR> Publish Providers
10/13/2004 09:33 PM <DIR> RACETHEPROSOnline11
06/26/2004 12:58 PM <DIR> Ratbag
03/22/2004 10:40 PM <DIR> Sonic Foundry
12/12/2003 11:53 PM <DIR> Sun
01/03/2006 06:43 PM <DIR> Symantec
08/05/2004 08:35 AM <DIR> Talkback
05/29/2005 12:14 PM 12 uns.tmp
06/02/2005 09:37 PM <DIR> Webroot
06/02/2005 09:37 PM <DIR> yahoo!
03/02/2004 11:16 PM <DIR> Yahoo! Messenger
07/07/2004 11:46 PM <DIR> You've Got Pictures Screensaver
1 File(s) 12 bytes
35 Dir(s) 17,047,449,600 bytes free
Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\Default User\Application Data

08/24/2003 06:51 PM <DIR> .
08/24/2003 06:51 PM <DIR> ..
12/17/2004 06:34 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 17,047,449,600 bytes free
Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\LocalService\Application Data

Volume in drive E has no label.
Volume Serial Number is BC27-9C30

Directory of E:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'E:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'E:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Jon'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_DISABLED
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 1
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

2 Triggers

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 01/21/2006
EndDate: 00/00/0000
StartTime: 09:44
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 1:
Type: AtLogon
StartDate: 01/21/2006
EndDate: 00/00/0000
StartTime: 09:44
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


right now there are 2 popups that show up. one says windows security and is a actual popup in the center of the screen the other i forget what it says but its down in the bar where the clock is. i tried going into security center to disable the windows security pop up but i can't its grey. i also have a toolbar in every window i open i.e. control panel. i tried undoing that but i can't its in grey also. whats the deal?

[tetonbob]

Did you receive any error messages while trying to delete the files I had listed? They are all still present in the Kaspersky log. You also have a new infection. Please be careful of the sites you visit, you must be traveling in dark alleys.

Did you clear Firefox's cache? Do so again.

Clear the Firefox cache. Tools > Options > Privacy > Cache > Click on Clear.

Did you install the new hosts file as sUBs requested? Let's try again.....

First, Download Hoster.exe

Run Hoster.exe.

• Click "Make Hosts Writable?" in the upper right corner (If available).
• Click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Download Host.zip - From within Host.zip, double click on MVPS.bat & allow it to run.

------------------------------------------

Please download & Install - FixWareout.exe

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

FixWareOut will produce a logfile, report.txt located within the C:\fixwareout folder

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

O4 - HKCU\..\Run: [UnSpyPC] "E:\Program Files\UnSpyPC\UnSpyPC.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{47474C52-F2EE-473C-9283-546A0B832899}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E7DA7E0-0DA6-44BF-BDDC-A99674E697B3}: NameServer = 85.255.116.171,85.255.112.228
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BA718BC-F239-4F7F-9BAF-EBC7CFF1F80D}: NameServer = 85.255.116.171,85.255.112.228

Reboot into safe mode.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if found:

UnSpyPC

Delete these files/folders:

E:\Program Files\UnSpyPC
E:\Program Files\aim error ace
E:\WINDOWS\Downloaded Program Files\toolbar.dll
E:\WINDOWS\system32\cacore.dll
E:\WINDOWS\system32\desktrf-667279.exe
E:\WINDOWS\system32\winb2s32.dll
E:\WINDOWS\system32\winb2s33.dll

Reboot into normal mode now.

Is there some reason you're not using the Panda scan I've now requested twice? Is it failing to run for you?

I need a different online scan than Kaspersky now, as one will see what the other may not. Use the Panda scan, and post the results.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan



If Panda fails, use this one:


TrendMicro™ HouseCall Java Scan

• Please go HERE to run the scan.
• Click Scan now. It's free!
• Read and put a Check next to Yes, I accept the terms of use.
• Click the Launching HouseCall>> button.
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

Run a new HijackThis scan. Save the log file and post it here.

Please return with logs from:

Wareout (report.txt)
Panda (if possible)
Housecall
HJT