Zlob(puresafteyhere.com)

[specWB]

I got this computer about a year ago. My last one was completely destroyed by viruses so i made it my goal to be extra careful with this one. No sktchy sights, scanning ALL applications before executing them, etc. But it seems that today they finally got me. I slipped up and this is what i get for it. I heard about some video called kids in a sandbox and was told to go see it.(no discussion on what it was neccessary in this thread). I went to some website i found on google and the video wouldnt play. It told me that i needed to install some codec for the video to play. looked pretty legit. I was wrong.

Now, there is an annoying yelly triangle with an exclamation point in my tak bar and every 30 seconds it alerts me about some "virus" i have on my computer. When i open up internet explorer, it brings me to "www.puresafteyhere.com". A quick google search of that website brought it to my attention that this was most likeley caused by a hijacker using the zlob trojan. I can not end the proccesses which i know are causing the effects, as they start up again the instant i do. I found the processes in their location folder at C\program files\Net Project. I cant deleat them though.

I have downloaded two applications that clame to detect and remove this problem. In both instances they definantly detected it. And in both instances, i felt satisfied that i would be removing all that crap from my computer. Unfortunantly, in both instances, as soon as i clicked "remove" i was greeted with the ever helpful "In order to use the Remove feature of this product you must first puchase it". Wow, thanks for the help there. Ad-Aware doesnt seem to detect it and neither does my Nortan Anti Virus 2007.

So now i feel like i may be running out of options. It seems that i either need to find a removal tool for this "puresafteyhere.com" thing or wipe my hard drive. I will do pretty much whatever it takes to avoid the latter. I will be forever greatful to anyone who can help me out here. I dont think i have left anything out but i will edit if i realize that i did.

Thanks

 

[mechBgon]

There's some info in this thread that will probably get it squared away :thumbsup: If you do run the Malicious Software Removal Tool I'd be curious to hear how that does on its own.

 

[specWB]

Yea, i saw that a second after i posted this. I feel dumb now. I will try that stuff. i hope it works. Thanks

 

[mechBgon]

Originally posted by: specWB
Yea, i saw that a second after i posted this. I feel dumb now. I will try that stuff. i hope it works. Thanks

If it doesn't work, you can always post a HJT log as your next move.

 

[specWB]

I have just run a couple of scans from John's Guide, so far they have detected but been unable to delete the bad files. It is getting late, and i will start to get pissed off if i dont just turn off the computer and go to bed, and getting pissed off doesnt usually solve things. This is the Hijack this log. Thanks for the help so far.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:04 PM, on 2/13/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\volpanlu.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Razer\Diamondback 3G\razerhid.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\CTxfispi.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Razer\Diamondback 3G\razertra.exe
C:\Program Files\Razer\Diamondback 3G\razerofa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Windows\system32\dlcxcoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\NetProject\scm.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbsm.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\NetProject\sbmntr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
C:\removal\SuperAntiSpyware\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\removal\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: e404 helper - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - C:\Program Files\Helper\1202940043.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WinSys2] C:\Windows\system32\startup.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSI Live] C:\Program Files\MSI\MSI Live\SetWallpaper.exe
O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback 3G\razerhid.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SHStartup.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\removal\SuperAntiSpyware\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-4081924712-557062274-3841058643-1010\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User '?')
O4 - HKUS\S-1-5-21-4081924712-557062274-3841058643-1010\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User '?')
O4 - HKUS\S-1-5-21-4081924712-557062274-3841058643-1010\..\Run: [] (User '?')
O4 - HKUS\S-1-5-21-4081924712-557062274-3841058643-1010\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-4081924712-557062274-3841058643-1010\..\Run: [SUPERAntiSpyware] C:\removal\SuperAntiSpyware\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - S-1-5-21-4081924712-557062274-3841058643-1010 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User '?')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool. net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool. net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - <a target=_blank class=ftalternatingbarlinklarge href="https://support.microsoft.com/OAS/ActiveX/MSDcode.cab"><a target=_blank class=ftalternatingbarlinklarge href="https://support.microsoft.com/OAS/ActiveX/MSDcode.cab">https://support.microsof.........eX/MSDcode.cab</a></a>
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsu...ctivedata/nprdtinf.cab
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {4E77DBA6-3506-46EC-93C0-AB1E0DBD7E4A} (ZtServiceManager Class) - http://mvod.web.aol.com/mce/new/ServiceMgr.CAB
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - <a target=_blank class=ftalternatingbarlinklarge href="https://webdl.symantec.com/activex/symdlmgr.cab"><a target=_blank class=ftalternatingbarlinklarge href="https://webdl.symantec.com/activex/symdlmgr.cab">https://webdl.symantec.com/activex/symdlmgr.cab</a></a>
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/a...os/LOnline/install.cab
O16 - DPF: {BE6A7ED0-B2FF-409D-930C-79422B899802} - http://cdn.digitalcity.com/video/kdx.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://vep.intel.com/Entriq_3_4_0_16_Silent.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia....cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative ALchemy AL1 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SpyHunter3 Service - Enigma Software Group, Inc. - C:\Program Files\Enigma Software Group\SpyHunter\SHService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 18760 bytes

 

[mechBgon]

You might want to use the other resources first, but if you want to take a crack at it with HijackThis, then note down these entries and then use HJT to nuke them while running in Safe Mode:

C:\Program Files\NetProject\scm.exe
C:\Program Files\NetProject\scit.exe
C:\Program Files\NetProject\sbsm.exe

O2 - BHO: e404 helper - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - C:\Program Files\Helper\1202940043.dll
O2 - BHO: (no name) - {C2A1C5CB-C0EF-4689-9436-F62CCA1C5383} - C:\Program Files\NetProject\sbmdl.dll

O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool. net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool. net/redirect.php (file missing)

O15 - Trusted Zone: http://www.msi.com.tw (they were hacked not so long ago, don't be having them in your Trusted Zone)

O4 - HKLM\..\Run: [WinSys2] C:\Windows\system32\startup.exe (this one strikes me as suspicious, since my Vista installation has no such thing. Upload it to http://www.virustotal.com for analysis?)


I'm not a specially-trained HJT guy but I believe those entries are part of your infection.

 

[Medea]

Yep, you've got malware, some of it nasty, on that system - including Zlob which means you have a smitfraud infection. What I don't like is that you also have a backdoor bot. Can you clean your computer? It's likely.

However, if it were my computer, I'd format and reinstall. Once a backdoor bot's been on my computer, I don't trust it anymore.

 

[specWB]

Having tried several other things i guess i will have to try Hijack This. I have a question though, when i end the proccess through HJT, does it also deleat the bad files or does it just end the proccess? If it just ends the proccess, how can i get rid of the files completely? Ill do it when i get home thoday and we'll see what happens. Do you enter safe mode the same on Vista as XP, with pressing F8 repeatedly?

And to Medea, that makes me nervouse. I use this computer for online transactions quite frequently, and sometimes things such as credit card information,adress, all that stuff is entered. I hope I dont have to format and start out all over again but i will if it is the only way to prevent identity theft.

Thanks alot for the help so far.

EDIT/UPDATE: I should also note that Norten 2007 doesnt even seem to detect the malware on my computer. I've doe two full system scans and both times it has come up completely clean.

Also today it went beyond the anoying "virus alerts". Suddenly, i get pop ups filled uncensored pictures. Sometimes it will tell me "You have 156 adult files on your computer. Dont get caught with your pants down!" or something like that. I have not visited any website of the sort on this computer. Im now afraid somebody will walk by the computer when im not there, see one of these pop ups and think that i was looking at it. I am currently downloading AVG since i heard good things about it and based on a scan of one of the files i knew was maliciouse on virus total, it is able to detect it. I am hoping that it will help me to solve this nasty problem.

GOOD UPDATE1: Okay, i just did an AVG scan of the Net Project thing and it successfully got rid of the annoying puresafteyhere thing and as far as i can tell the fake virus alerts and such, however i think i probably still have crap on my computer so i will have to go ahead and to a full system scan to try and clean completely. Two questions though, when i was installing AVG it told me i should uninstall Norten. Is there any reason why? I have also heard that programs like Norton are so widely used that maliciouse individuals have figured out ways to easily outsmart them. There is 102 days left on the free 15 month subscription to norton that came with my computer. Should i just end it now and stick with AVG?

Thanks again for all the help, it seems that i am on my way to having a clean computer. I will edit back if i run into any problems.

 

[mechBgon]

Originally posted by: specWB
Having tried several other things i guess i will have to try Hijack This. I have a question though, when i end the proccess through HJT, does it also deleat the bad files or does it just end the proccess? If it just ends the proccess, how can i get rid of the files completely? Ill do it when i get home thoday and we'll see what happens. Do you enter safe mode the same on Vista as XP, with pressing F8 repeatedly?

And to Medea, that makes me nervouse. I use this computer for online transactions quite frequently, and sometimes things such as credit card information,adress, all that stuff is entered. I hope I dont have to format and start out all over again but i will if it is the only way to prevent identity theft.

Thanks alot for the help so far.

EDIT/UPDATE: I should also note that Norten 2007 doesnt even seem to detect the malware on my computer. I've doe two full system scans and both times it has come up completely clean.

Also today it went beyond the anoying "virus alerts". Suddenly, i get pop ups filled uncensored pictures. Sometimes it will tell me "You have 156 adult files on your computer. Dont get caught with your pants down!" or something like that. I have not visited any website of the sort on this computer. Im now afraid somebody will walk by the computer when im not there, see one of these pop ups and think that i was looking at it. I am currently downloading AVG since i heard good things about it and based on a scan of one of the files i knew was maliciouse on virus total, it is able to detect it. I am hoping that it will help me to solve this nasty problem.

GOOD UPDATE1: Okay, i just did an AVG scan of the Net Project thing and it successfully got rid of the annoying puresafteyhere thing and as far as i can tell the fake virus alerts and such, however i think i probably still have crap on my computer so i will have to go ahead and to a full system scan to try and clean completely. Two questions though, when i was installing AVG it told me i should uninstall Norten. Is there any reason why? I have also heard that programs like Norton are so widely used that maliciouse individuals have figured out ways to easily outsmart them. There is 102 days left on the free 15 month subscription to norton that came with my computer. Should i just end it now and stick with AVG?

Thanks again for all the help, it seems that i am on my way to having a clean computer. I will edit back if i run into any problems.

You generally don't want two resident antivirus programs at once. They could clash. If you want a different antivirus, can I suggest AntiVir because it has better detection rates than AVG does, typically. As you know already, none of these antiviruses can substitute for risk avoidance, so whichever one you pick, keep your wits about you. Here are additional security suggestions if you want.

 

[xgsound]

AVG or Antivir will also be free for the the next 102 days and beyond. If you remove Norton use the Norton removal tool from http://service1.symantec.com/S...docid/2005033108162039 to insure that all bits and services are removed.

Jim

 

[QuixoticOne]

Though I can sympathize with the desire for a "quick fix", I'm skeptical of the general approach when you KNOW you've been compromised by malware.

Personally my first impulse is to:

1) go get / borrow / buy a $99 USB 2.0 / Firewire external 320GB-500GB (or whatever) hard disk.

2) Boot from a floppy, reflash my BIOS.

3) boot from a system rescue CD, copy / image my relevant personal files to the 2nd drive.

4) That done, I'd format and wipe the system drive, reinstall the OS clean, install any service packs and security updates, install a new virus scanner / security software, install new / patched versions of my main applications.

5) scan and quarantine all the stuff on my external drive that is infected, and then restore only the relatively safe documents like text files, scanned office documents, scanned pictures, saved games, etc. Not any of the executables or scripts for sure.

Eh maybe I'm paranoid. But at least that whole process is guaranteed to be 100% successful, and can be done in 12 hours or less predictably. Whereas trying to "decontaminate" an infected system may or may not eventually succeed, you may or may not end up with a 100% safe / functional system, and you may or may not lose data (or know you lost it) anyway, and it may take an unpredictable number of hours/days to combat the infection with various tools, scans, etc.

 

[specWB]

Thanks for all the help guys. I think my computer is clean now. To Medea and Quixoticone, i do appreciate your advice, but at this piont in time i cant bring my self to wipe the hard drive even if i can move alot of things to an external hard drive. There are just alot of things that would need to be reinstalled. I will however do that if problems persist.

One final question for anyone that wants to answer(I hope). It seems that neither AVG nor AntiVir have firewalls, at least in the free versions. I have heard that it is dumb to do anything without a firewall. I play alot of games online if that is relevant. Should i assume (to the extent that it is possible) that i would be safe without a firewall? Would you recomend that i stop being cheap and by the full versions of these security packages so i have everything? Or will i be okay with the windows firewall?

Thanks

 

[QuixoticOne]

Good to see you have it working.

Eh Vista Firewall + Vista Defender + ALL security relevant Windows updates = SORT OF OK basic security.

That said, I disabled Windows Firewall, disabled Windows Defender, and
run the free versions of AVAST and COMODO.

http://www.avast.com/eng/avast_4_home.html

http://www.personalfirewall.co...download_firewall.html
Grab the newest 32 bit or 64 bit version as appropriate for your Vista.

Comodo can be a little more "in your face" about micro-managing the acceptance / denial of permissions rather than Windows Firewall/Windows Defender which I like, but can be an annoyance if you expect something to basically be automatic and not ask you many permissions questions ever...but you can tune it to be pretty automatic if you want... though you lose some control that way.

But whatever you do, run the Windows Update and Microsoft Malicious Software Removal Tool for February 2008 just to get the latest patches and a good clean scan.

Originally posted by: specWB
Thanks for all the help guys. I think my computer is clean now. To Medea and Quixoticone, i do appreciate your advice, but at this piont in time i cant bring my self to wipe the hard drive even if i can move alot of things to an external hard drive. There are just alot of things that would need to be reinstalled. I will however do that if problems persist.

One final question for anyone that wants to answer(I hope). It seems that neither AVG nor AntiVir have firewalls, at least in the free versions. I have heard that it is dumb to do anything without a firewall. I play alot of games online if that is relevant. Should i assume (to the extent that it is possible) that i would be safe without a firewall? Would you recomend that i stop being cheap and by the full versions of these security packages so i have everything? Or will i be okay with the windows firewall?

Thanks

 

[mechBgon]

Also, consider using a router if you don't already have one. I just revamped my router page a bit, if you want an overview of why you might want a router in addition to your software firewall. It wouldn't have helped against Zlob, but since you asked about firewalls... there ya go.

Personally, I use the Windows Firewall (plus a router) and just maintain ruthless control over what I install on the system. I know there are different schools of thought about trying to control stuff on your PC using a two-way firewall (where it asks you to Yes/No stuff that's trying to get out), but with entire families of malware now bypassing firewall protection using BITS, UPnP, or by other methods such as borrowing a firewall-approved app, I think the place to stop it is much sooner than when it's already resident on your computer.

Ask yourself if your firewall would stop your web browser from downloading a .JPG image. If it does, then you can write off your firewall's ability to fend off malware that sneaks malicious code in by encapsulating it in an image. And unfortunately that is a real method in use by the bad guys.

 

[QuixoticOne]

Good points, mechB.

Yes, a decent firewall router is a good extra layer of defense in addition to a PC firewall.

Beyond that, indeed, the whole concept of firewalls and anti-virus softwares has failed to provide adequate security.

The buck stops with the end applications and individual programs, and there's one very simple fix. Pay attention to details and quality, take out the bugs, and start programming like it actually MATTERED if your program worked right under any possible conditions.

An old saying that is VERY true:

If carpenters built houses like programmers build computer software, civilization would be destroyed by the first woodpecker that came along.

People have created such a 'disposable goods' minded society that they feel that ANYTHING they create is not necessary to imbue with quality because it's just disposable / replacable. Hence all the junky appliances, electronics, software programs, etc. that never really work quite right and never will be fixed. It's destroying our planet, and our natural and technical ecosystems.

Contrast that to eras gone by when it wasn't uncommon to build things that actually were durable and worked well for their jobs for hundreds of years. Castles, houses, utensils, carts, boats, books, whatever.

 

[xgsound]

One other excellent free program (if you don't already have it) is Spywareblaster from http://www.javacoolsoftware.com/spywareblaster.html It prevents your browser from going to KNOWN bad sites, running active x, and uses NO resources. It won't stop the newest stuff, but keeps you away from the known bad ones.


Jim