Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Beovens

Started by skupaloop , Mar 05 2007 09:42 PM

Please log in to reply

#1
skupaloop

Posted 05 March 2007 - 09:42 PM

New Member

Member
8 posts

I everyone. This is my first post and my first time using Highjack This so I apologize in advance for any ignorance. When I run my Pest Patrol scan, I continue to have the trojan "Beovens" return, no matter how many times I quarantine or delete it. I have also used CA EZ Antivirus, Lavasoft, and an online scan, but with no luck. I have also tried to use system restore points twice, but that hasn't done it either.

According to Pest Patrol, the file is located in my System 32 Explorer files.

This is a copy of my Highjack This log. Please let me know what to do!! Thanks a million in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:32:22 PM, on 3/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Documents and Settings\Skup\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - c:\program files\peoplepc\toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~2.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
skupaloop

Posted 05 March 2007 - 09:49 PM

New Member

Topic Starter
Member
8 posts

Should have added the registry location according to Pest Patrol:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run

Thanks

#3
Daemon

Posted 06 March 2007 - 01:00 AM

Security Expert

Retired Staff
4,356 posts

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Post the results of the AVG Anti-Spyware report scan. Then do this - download SUPERAntiSpyware Home Edition (free version)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining.
- Please leave the others unchecked.
- Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
- After reboot, double-click the SUPERAntispyware icon on your desktop.
- Click Preferences. Click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- It will open in your default text editor (such as Notepad/Wordpad).
- Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
Please paste that information here for me with a new HijackThis log.

#4
skupaloop

Posted 06 March 2007 - 03:13 PM

New Member

Topic Starter
Member
8 posts

Hello and thank you very much for your reply.

I do have another issue here: When I reboot my computer and tap F8, the screen that pops up asks me what boot device to select, it doesn't ask me if I would like to boot in safe mode. So far as I remember with this computer, I have never been able to boot in safe mode. What would you suggest?

Thanks.

#5
Daemon

Posted 06 March 2007 - 03:28 PM

Security Expert

Retired Staff
4,356 posts

Skip the Safe Mode instruction - run it in Normal Mode.

#6
skupaloop

Posted 06 March 2007 - 10:03 PM

New Member

Topic Starter
Member
8 posts

OK, all the scans took a while, but here are the logs. Once again, thank you for your help and please let me know what I should do next:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:46:25 PM 3/6/2007

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP235\A0040852.exe -> Downloader.Murlo.fa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP187\A0029160.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP188\A0029222.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP190\A0029277.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP190\A0029286.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP191\A0029297.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP191\A0029313.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP192\A0029323.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP196\A0029343.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP196\A0029357.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP196\A0029366.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP196\A0029375.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP196\A0029386.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP196\A0029395.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP197\A0030408.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP197\A0030418.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP198\A0030434.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP198\A0030443.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP198\A0030452.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP199\A0030464.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP199\A0030473.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP200\A0030482.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP200\A0030496.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP204\A0030600.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP205\A0030613.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP205\A0030624.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP207\A0030681.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP208\A0030700.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP209\A0030724.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP209\A0030733.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP210\A0030743.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0031743.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0031762.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0031774.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0032774.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0033774.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0033785.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0033977.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0034980.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0034991.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0035007.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP212\A0036009.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP213\A0036014.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP213\A0036434.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP213\A0037433.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP222\A0038430.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP223\A0038481.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP227\A0039482.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP229\A0039515.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP233\A0039663.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP233\A0039711.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP233\A0040711.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP234\A0040718.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP234\A0040778.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP235\A0040789.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP235\A0040921.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP236\A0040930.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP236\A0040932.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP236\A0040942.exe -> Downloader.Zlob.yj : Cleaned with backup (quarantined).
:mozilla.116:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.117:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.118:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.119:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.650:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.786:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.465:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.466:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.759:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.760:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.761:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.762:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.763:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.237:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.238:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.239:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.244:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.220:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.221:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.245:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.484:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.485:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.787:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Cj : Cleaned.
:mozilla.788:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Cj : Cleaned.
:mozilla.789:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Cj : Cleaned.
:mozilla.790:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Cj : Cleaned.
:mozilla.599:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.47:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.77:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.319:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.320:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.321:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.402:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.707:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.259:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.260:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.262:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.264:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.359:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.360:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.395:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.396:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.397:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.398:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.669:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.16:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.381:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.666:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.98:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.99:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.521:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.522:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.335:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.336:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.337:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.338:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.339:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.807:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.808:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.96:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.97:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.492:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.493:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.494:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.60:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.61:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.62:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.210:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.211:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.212:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.214:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.547:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.548:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.549:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.550:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.551:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.552:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.553:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.44:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.322:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.33:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.611:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.213:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.55:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.56:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.57:C:\Documents and Settings\Skup\Application Data\Mozilla\Firefox\Profiles\8w74h4au.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP234\A0040723.exe -> Trojan.Crypt.g : Cleaned with backup (quarantined).

::Report end

SUPERAntiSyware Log

Generated 03/06/2007 at 10:25 PM

Application Version : 3.5.1016

Core Rules Database Version : 3165
Trace Rules Database Version: 1176

Scan type : Complete Scan
Total Scan Time : 01:03:46

Memory items scanned : 325
Memory threats detected : 0
Registry items scanned : 4252
Registry threats detected : 0
File items scanned : 29583
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Skup\Cookies\[email protected][1].txt

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP213\A0036033.ICO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9B6B3207-B528-4F29-8BE6-1B4139BF816E}\RP213\A0036034.ICO

Logfile of HijackThis v1.99.1
Scan saved at 11:01:39 PM, on 3/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Skup\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~2.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7
Daemon

Posted 07 March 2007 - 12:55 AM

Security Expert

Retired Staff
4,356 posts

OK, other than cookies and restore points they didn't find much. You seem to have had a zlob infection in the past - let's just check no fragments of that are left behind before digging deeper. Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

Please do not run any other options until you are asked to do so.

#8
skupaloop

Posted 07 March 2007 - 01:02 AM

New Member

Topic Starter
Member
8 posts

SmitFraudFix v2.147

Scan done at 2:00:26.15, Wed 03/07/2007
Run from C:\Documents and Settings\Skup\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Skup

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Skup\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Skup\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#9
Daemon

Posted 07 March 2007 - 01:11 AM

Security Expert

Retired Staff
4,356 posts

Run the fix to remove what it found - print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Please post the new rapport.txt log along with a new HijackThis Log in your next reply.

#10
skupaloop

Posted 07 March 2007 - 01:15 AM

New Member

Topic Starter
Member
8 posts

As I mentioned earlier, F8 won't put my computer into safe mode. F8 is setup as a prompt to select the boot device. My question is: Is there any other way I could start in safe mode? I don't remember seeing it in BIOS either.

Thank you.

#11
Daemon

Posted 07 March 2007 - 01:17 AM

Security Expert

Retired Staff
4,356 posts

Yes, you did - apologies it slipped my mind. Run it in Normal Mode and post the results.

#12
skupaloop

Posted 07 March 2007 - 01:29 AM

New Member

Topic Starter
Member
8 posts

No apologies needed, you have been very helpful and I appreciate it. Here is the new rapport.txt and Hijack This Log. I did not see a box for "Security Info" when I followed the path of Control Panel, Display, etc

SmitFraudFix v2.147

Scan done at 2:20:21.12, Wed 03/07/2007
Run from C:\Documents and Settings\Skup\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\WINDOWS\system32\components\flx???.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 2:28:31 AM, on 3/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Skup\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~2.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#13
Daemon

Posted 07 March 2007 - 01:34 AM

Security Expert

Retired Staff
4,356 posts

OK, good. Could you check to see if Pest Patrol is still detecting anything and if so post the filename, location and any registry entries here.

#14
skupaloop

Posted 07 March 2007 - 06:59 PM

New Member

Topic Starter
Member
8 posts

The Pest Patrol scan came back fine w/ no items detected.

#15
Daemon

Posted 09 March 2007 - 01:28 AM

Security Expert

Retired Staff
4,356 posts

One more thing and then you're all set.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

You should consider installing SP2. Click here: http://windowsupdate.microsoft.com/.

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?

Do you require any further assistance or should I close the topic?