1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Struggling for 3 days with multiple problems. HELP!

Discussion in 'Virus & Other Malware Removal' started by mamalaura, Sep 23, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. mamalaura

    mamalaura Thread Starter

    Joined:
    Sep 23, 2007
    Messages:
    7
    Please help. Here is all the information I can think of to give you. Apologies for verbosity. Please let me know what other information I can give you to help me. Thank you very much, in advance

    My computer was built for me by my late husband. It's an IBM compatible and he installed an AMD Duron processor in it with 1.30 Ghz, 256 MB of RAM. Running OS is Windows XP Home Edition. Logitech Elite keyboard installed along with a
    Logitech Marble Mouse trackball. Installed scanners that I run or ran and keep or kept updated: Adware, Spybot Search & Destroy, Norton (was recently uninstalled using "Change/Remove" on the control panel then with Norton Removal Tool), recently installed AVG Free Edition 7.5, and Spyware Blaster. I am not sure where to rate my computer ability. Maybe it could be said that I know barely enough to be extremely dangerous?

    Several problems, pretty much in order of occurrence: very erratic trackball, clunky feeling keyboard like I have to use more pressure to hit the keys to make them work and right-hand shift key does not work when I use it while online, Thursday night came home to a nasty red desktop screen and three program icons I did not put on my desktop, a window that pops up and one that stays on the desktop with a flashing red shield but it easily goes behind other windows.

    First, the trackball. The left button started acting very, very erratically about a couple of months ago. I was not sure if it was due to it wearing out or if the drivers might needed to be re-installed. I re-installed the trackball driver from the CD. It works a little better but the left button is still a little erratic. It was also very difficult, if not impossible at times, to use the left button for copy and paste functions. This is also a little better.

    Second, the keyboard. I installed this keyboard after the old one died so I am not sure if I even have it configured. After I installed the keys worked very well, they had a very fluid and smooth feel to them. But within the last 2 months, the keys were just really hard to operate. I had to hit each one very hard. Then about a week or so ago, I would type and then there would be a long delay for the typing to show up on the monitor. This is when I did a stupid and a blonde-kind of thing and uninstalled Norton. I don't always work well under pressure. The keys got easier again. As a side note, I have carpal tunnel so sometimes I hit any wrong combination of keys sometimes and sometimes funny things happen and then I have to figure out how to undo them. Then within the last week or so while online my right-hand shift key acts like a "back" button but is fine when I am using a word processing program of some kind. Yes, I almost forgot. None of the "F" keys seem to work so continually pressing the "F8" button does not get me to the Safe mode.

    Third, the nasty evil red screen and the program icons. They are "Error Cleaner", "Privacy Protection", and "Spyware/Malware Protection". I updated my Adware and scanned my computer. Then I updated my Spybot Search & Destroy and ran that. That seemed to help get rid of the nasty red screen and the three icons after I restarted my computer. Rescanned using Adware and Spybot. At some point, I don't remember when exactly, the three icons reappeared.

    Four, the window that popped up and stays. There is a "Yes" button and a "No" button. The "close" button is greyed out so you don't have the option of clicking on it.

    Spyware Alert -

    "! Security Warning!

    Trojan.W32.LookSky detected on your machine This virus is distributed via the Internet through e-mail and Active-X objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.

    This process should be removed from your system.

    Type: Virus
    System Affected: Windows 2000, NT, ME, XP, Vista
    Security Risk (0-5): 5
    Recommendations: Click Yes to remove it from your PC immediately."

    Fifth, the window that keeps popping up. Clicking on the close button automatically brings up IE which I then have to click on the close button. Later it pops back up again, sometimes a minute, sometime more, sometimes less.

    Windows Security Alert - "Windows has detected an Internet attack attempt...Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempts and spyware! Click here to download spyware remover for total protection."

    During the last couple of days, I consulted a very computer savvy friend who helped me work through it some. She had me download and scan using Trojan removal tool, Windows KB890830-V1.33 because of spyware alert window. She was also the one who suggested downloading and using the Norton Removal Tool. After that I got and used AVG Free Edition 7.5. Also, I have been unplugging my Internet cable from my tower since Saturday when I don't need to be online for anything. She also had me go in under "My Computer" turn off the "System Restore". She also suggested that I come to you guys for help.

    Adware Logs:
    ArchiveData(auto-quarantine- 2007-09-20 13-01-00.bckp)
    Referencefile : SE1R192 17.09.2007
    ======================================================

    MRU LIST
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[0]=MRU FileReference : C:\Documents and Settings\Laura Stalter\Application Data\microsoft\office\recent\Dr. Said Folder.LNK
    obj[1]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\082207 #3 Patient Listing.lnk
    obj[2]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\corel\user assistant\9\recent work\wordperfect\last opened\a
    obj[3]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Dr. Said Templates.lnk
    obj[4]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\corel\user assistant\9\recent work\wordperfect\last opened
    obj[5]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
    obj[6]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
    obj[7]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
    obj[8]=MRU RegReference : .DEFAULT\software\microsoft\internet explorer\typedurls
    obj[9]=MRU RegReference : S-1-5-18\software\microsoft\internet explorer\typedurls
    obj[10]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\internet explorer\typedurls
    obj[11]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\microsoft management console\recent file list
    obj[12]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru value
    obj[13]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
    obj[14]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\recentdocs\.doc
    obj[15]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\recentdocs\.wpd
    obj[16]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
    obj[17]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Dictation Time Sheet.lnk
    obj[18]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows media\wmsdk\general computername
    obj[19]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\082207 #1 Dictation.lnk
    obj[20]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\090307 Patient Listing.lnk
    obj[21]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\090307 Dictation Time Sheet.lnk
    obj[22]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\082207 #2 packet 6.lnk
    obj[23]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\091807 Dictation Invoice.lnk
    obj[24]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Statistic Log Template.lnk
    obj[25]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Dictation Template.lnk
    obj[26]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Elizabeth Westenskow.lnk
    obj[27]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\083107 Dictation Invoice.lnk
    obj[28]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Patient Listing Template.lnk

    ZANGO
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[16]=Process : C:\Program Files\Zango\bin\10.0.341.0\ZangoSA.exe
    obj[17]=Regkey : appid\{dbf00e12-281c-4dc8-a7ec-1ff45182439b}
    obj[18]=Regkey : clsid\{1e5b2693-d348-4ca7-8364-4f5e51bf9c6d}
    obj[19]=Regkey : clsid\{2e54ac53-efa4-4831-a3f6-b47b1a1937cf}
    obj[20]=Regkey : clsid\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf}
    obj[21]=RegValue : clsid\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "AppID"
    obj[22]=Regkey : interface\{1985fce1-4043-4346-ae70-d0a0cd90bdd3}
    obj[23]=Regkey : interface\{2e623b96-b166-4c70-8169-820761794299}
    obj[24]=Regkey : typelib\{ad71e48f-6f47-4b63-9312-fae879541c4d}
    obj[25]=Regkey : typelib\{dd1cb2d7-161d-4b84-ae5c-08d3faed894f}
    obj[26]=Regkey : software\microsoft\windows\currentversion\ext\preapproved\{1e5b2693-d348-4ca7-8364-4f5e51bf9c6d}
    obj[27]=Regkey : software\microsoft\windows\currentversion\ext\preapproved\{2e54ac53-efa4-4831-a3f6-b47b1a1937cf}
    obj[28]=Regkey : software\microsoft\windows\currentversion\ext\preapproved\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf}
    obj[29]=Regkey : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf}
    obj[30]=RegValue : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "AppPath"
    obj[31]=RegValue : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "Policy"
    obj[32]=RegValue : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "CLSID"
    obj[36]=Regkey : appid\zangosa_df.exe
    obj[37]=Regkey : zango.desktopflash
    obj[38]=Regkey : zango.desktopflash.1
    obj[39]=Regkey : zangoax.clientdetector
    obj[40]=Regkey : zangoax.clientdetector.1
    obj[41]=Regkey : zangoax.userprofiles
    obj[42]=Regkey : zangoax.userprofiles.1
    obj[43]=Regkey : software\zango
    obj[44]=Regkey : software\zangosa
    obj[45]=RegValue : software\zangosa "last_conn_l"
    obj[46]=RegValue : software\zangosa "cdata"
    obj[47]=RegValue : software\zangosa "TimeOffset"
    obj[48]=RegValue : software\zangosa "actionurl_current_version"
    obj[49]=RegValue : software\zangosa "actionurl_last_full_version"
    obj[50]=RegValue : software\zangosa "keyword_current_version"
    obj[51]=RegValue : software\zangosa "keyword_last_full_version"
    obj[52]=RegValue : software\zangosa "recent_shown"
    obj[53]=RegValue : software\zangosa "key_int_high"
    obj[54]=RegValue : software\zangosa "key_int_low"
    obj[55]=Regkey : software\microsoft\installer\features\9ee2330ae5f4470cac801baac83818c9
    obj[56]=Regkey : software\zango
    obj[57]=Regkey : software\microsoft\windows\currentversion\uninstall\zangosa
    obj[58]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "DisplayIcon"
    obj[59]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "UninstallString"
    obj[60]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "DisplayVersion"
    obj[61]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "HelpLink"
    obj[62]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "Publisher"
    obj[63]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "URLInfoAbout"
    obj[64]=RegValue : software\microsoft\windows\currentversion\run "zangooe"
    obj[65]=RegValue : software\mozilla\firefox\extensions "[email protected]"
    obj[66]=Folder : C:\Documents and Settings\All Users\Start Menu\Programs\Zango
    obj[67]=Folder : C:\Program Files\Zango
    obj[68]=Folder : C:\Documents and Settings\Laura Stalter\Application Data\Zango
    obj[69]=File : C:\DOCUME~1\LAURAS~1\LOCALS~1\Temp\temp.fr67BA\bin\10.0.328.0\firefox\extensions\plugins\npclntax_ZangoSA.dll
    obj[70]=File : C:\DOCUME~1\LAURAS~1\LOCALS~1\Temp\temp.fr67BA\bin\10.0.328.0\ZangoSADF.exe
    obj[71]=File : C:\DOCUME~1\LAURAS~1\LOCALS~1\Temp\temp.fr67BA\bin\10.0.328.0\ZangoSAHook.dll
    obj[72]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Reset Cursor.lnk
    obj[73]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Customer Support Center.lnk
    obj[74]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Uninstall Instructions.lnk
    obj[75]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Games!.lnk
    obj[76]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Videos!.lnk
    obj[77]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Screensavers!.lnk
    obj[78]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Library.lnk

    TRACKING COOKIE
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[33]=IECache Entry : Cookie:laura [email protected]/
    obj[34]=IECache Entry : Cookie:laura [email protected]/
    obj[35]=IECache Entry : Cookie:laura [email protected]/

    ArchiveData(auto-quarantine- 2007-09-22 04-24-43.bckp)
    Referencefile : SE1R192 17.09.2007
    ======================================================

    MRU LIST
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[0]=MRU FileReference : C:\Documents and Settings\Laura Stalter\Application Data\microsoft\office\recent\090307 Patient Listing.LNK
    obj[1]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\090307 Dictation Time Sheet.lnk
    obj[2]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Dr. Said Folder.lnk
    obj[3]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\090307 Dictation.lnk
    obj[4]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\090307 Patient Listing.lnk
    obj[5]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\091807 Dictation Invoice.lnk
    obj[6]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\Dr. Said Master Patient Listing.lnk
    obj[7]=MRU FileReference : C:\Documents and Settings\Laura Stalter\recent\090307 packet 1.lnk
    obj[8]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
    obj[9]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\recentdocs\.doc
    obj[10]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
    obj[12]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows media\wmsdk\general computername
    obj[13]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
    obj[14]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
    obj[15]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\internet explorer\typedurls
    obj[16]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru value
    obj[17]=MRU RegReference : S-1-5-21-73586283-1677128483-854245398-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

    ZANGO
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[11]=Process : C:\Program Files\Zango\bin\10.0.341.0\ZangoSA.exe
    obj[20]=Regkey : appid\{dbf00e12-281c-4dc8-a7ec-1ff45182439b}
    obj[21]=Regkey : clsid\{1e5b2693-d348-4ca7-8364-4f5e51bf9c6d}
    obj[22]=Regkey : clsid\{2e54ac53-efa4-4831-a3f6-b47b1a1937cf}
    obj[23]=Regkey : clsid\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf}
    obj[24]=RegValue : clsid\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "AppID"
    obj[25]=Regkey : interface\{1985fce1-4043-4346-ae70-d0a0cd90bdd3}
    obj[26]=Regkey : interface\{2e623b96-b166-4c70-8169-820761794299}
    obj[27]=Regkey : typelib\{ad71e48f-6f47-4b63-9312-fae879541c4d}
    obj[28]=Regkey : typelib\{dd1cb2d7-161d-4b84-ae5c-08d3faed894f}
    obj[29]=Regkey : software\microsoft\windows\currentversion\ext\preapproved\{1e5b2693-d348-4ca7-8364-4f5e51bf9c6d}
    obj[30]=Regkey : software\microsoft\windows\currentversion\ext\preapproved\{2e54ac53-efa4-4831-a3f6-b47b1a1937cf}
    obj[31]=Regkey : software\microsoft\windows\currentversion\ext\preapproved\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf}
    obj[32]=Regkey : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf}
    obj[33]=RegValue : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "AppPath"
    obj[34]=RegValue : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "Policy"
    obj[35]=RegValue : software\microsoft\internet explorer\low rights\elevationpolicy\{bd937ffe-0352-4fde-88f2-c30d1a9b25cf} "CLSID"
    obj[37]=Regkey : appid\zangosa_df.exe
    obj[38]=Regkey : zango.desktopflash
    obj[39]=Regkey : zango.desktopflash.1
    obj[40]=Regkey : zangoax.clientdetector
    obj[41]=Regkey : zangoax.clientdetector.1
    obj[42]=Regkey : zangoax.userprofiles
    obj[43]=Regkey : zangoax.userprofiles.1
    obj[44]=Regkey : software\zango
    obj[45]=Regkey : software\zangosa
    obj[46]=RegValue : software\zangosa "last_conn_l"
    obj[47]=RegValue : software\zangosa "cdata"
    obj[48]=RegValue : software\zangosa "TimeOffset"
    obj[49]=RegValue : software\zangosa "actionurl_current_version"
    obj[50]=RegValue : software\zangosa "actionurl_last_full_version"
    obj[51]=RegValue : software\zangosa "keyword_current_version"
    obj[52]=RegValue : software\zangosa "keyword_last_full_version"
    obj[53]=RegValue : software\zangosa "recent_shown"
    obj[54]=RegValue : software\zangosa "key_int_high"
    obj[55]=RegValue : software\zangosa "key_int_low"
    obj[56]=Regkey : software\microsoft\installer\features\9ee2330ae5f4470cac801baac83818c9
    obj[57]=Regkey : software\zango
    obj[58]=Regkey : software\microsoft\windows\currentversion\uninstall\zangosa
    obj[59]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "DisplayIcon"
    obj[60]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "UninstallString"
    obj[61]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "DisplayVersion"
    obj[62]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "HelpLink"
    obj[63]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "Publisher"
    obj[64]=RegValue : software\microsoft\windows\currentversion\uninstall\zangosa "URLInfoAbout"
    obj[65]=RegValue : software\microsoft\windows\currentversion\run "zangooe"
    obj[66]=RegValue : software\mozilla\firefox\extensions "[email protected]"
    obj[67]=Folder : C:\Documents and Settings\All Users\Start Menu\Programs\Zango
    obj[68]=Folder : C:\Program Files\Zango
    obj[69]=Folder : C:\Documents and Settings\Laura Stalter\Application Data\Zango
    obj[90]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Reset Cursor.lnk
    obj[91]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Customer Support Center.lnk
    obj[92]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Uninstall Instructions.lnk
    obj[93]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Games!.lnk
    obj[94]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Videos!.lnk
    obj[95]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Screensavers!.lnk
    obj[96]=File : C:\Documents and Settings\All Users\Start Menu\Programs\zango\Zango Library.lnk

    ADWARE.AGENT
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[12]=Regkey : interface\{ef94a58f-599b-4602-9c34-99683c5859b1}
    obj[13]=Regkey : interface\{967a494a-6aec-4555-9caf-fa6eb00acf91}
    obj[14]=Regkey : interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5}
    obj[15]=Regkey : typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226}
    obj[70]=Regkey : msvps.msvpsapp
    obj[71]=RegValue : software\microsoft\internet explorer\main "statusbarweb"
    obj[72]=RegValue : software\microsoft\videoplugin "at"
    obj[73]=RegData : software\microsoft\internet explorer\main "Start Page"
    obj[74]=RegData : software\microsoft\internet explorer\main "Start Page"
    obj[75]=Folder : C:\WINDOWS\privacy_danger
    obj[97]=File : C:\Documents and Settings\Laura Stalter\Favorites\Error Cleaner.url
    obj[98]=File : C:\Documents and Settings\Laura Stalter\Desktop\Error Cleaner.url
    obj[99]=File : C:\Documents and Settings\Laura Stalter\Desktop\Privacy Protector.url
    obj[100]=File : C:\Documents and Settings\Laura Stalter\Favorites\Privacy Protector.url
    obj[101]=File : C:\Documents and Settings\Laura Stalter\Favorites\Spyware&Malware Protection.url
    obj[102]=File : C:\Documents and Settings\Laura Stalter\Desktop\Spyware&Malware Protection.url
    obj[103]=File : C:\WINDOWS\rs.txt

    WIN32.TROJAN.AGENT
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[16]=Regkey : clsid\{150ea8e7-a97c-4816-ad02-4865eef8c5ff}
    obj[17]=Regkey : clsid\{baba5bdb-4eff-48db-b443-679651d37128}
    obj[18]=Regkey : interface\{b6a3935f-8fe4-49a4-b987-a1c09e53589f}
    obj[19]=Regkey : typelib\{cdc0999c-999c-4ee1-875b-5c3542641768}
    obj[76]=Regkey : software\microsoft\videoplugin
    obj[77]=RegValue : software\microsoft\videoplugin "sid"
    obj[78]=RegValue : software\microsoft\videoplugin "aid"
    obj[79]=RegValue : software\microsoft\videoplugin "said"
    obj[80]=RegValue : software\microsoft\videoplugin "dt"
    obj[81]=RegValue : software\microsoft\videoplugin "lr"
    obj[82]=RegValue : software\microsoft\videoplugin "last-update-check"
    obj[83]=RegValue : software\microsoft\videoplugin "sp-last-click"
    obj[84]=RegValue : software\microsoft\videoplugin "sp-click-count"
    obj[85]=RegValue : software\microsoft\videoplugin "cpv-last-click"
    obj[86]=RegValue : software\microsoft\videoplugin "cpv-click-count"
    obj[87]=RegValue : software\microsoft\videoplugin "sn-last-click"
    obj[88]=RegValue : software\microsoft\videoplugin "sn-click-count"
    obj[89]=RegValue : software\microsoft\internet explorer\phishingfilter "enabled"

    TRACKING COOKIE
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    obj[36]=IECache Entry : Cookie:laura [email protected]/


    Running Processes from Cont+Alt+Del buttons:
    ALG.EXE LOCAL SERVICE 00 56 K
    AVGAMSVR.EXE SYSTEM 00 424 K
    AVGCC.EXE Laura Stalter 00 248 K
    AVGEMC.EXE SYSTEM 00 1,148 K
    AVGUPSVC.EXE SYSTEM 00 376 K
    CSRSS.EXE SYSTEM 00 1,904 K
    CTFMON.EXE Laura Stalter 00 1,812 K
    CTNotify.exe Laura Stalter 00 804 K
    Ctsvccda.exe SYSTEM 00 36 K
    Directcd.exe Laura Stalter 00 912 K
    EM_EXEC.EXE Laura Stalter 00 704 K
    EXPLORER.EXE Laura Stalter 99 14,176 K
    iPodService.exe SYSTEM 00 632 K
    iTunesHelper.exe Laura Stalter 00 728 K
    jusched.exe Laura Stalter 00 36 K
    LEXBCES.EXE SYSTEM 00 992 K
    LEXPPS.EXE SYSTEM 00 380 K
    LSASS.EXE SYSTEM 00 944 K
    lxbkbmgr.exe Laura Stalter 00 336 K
    lxbkbmon.exe Laura Stalter 00 376 K
    Mediadet.exe Laura Stalter 00 796 K
    MSMSGS.EXE Laura Stalter 00 776 K
    realsched.exe Laura Stalter 00 144 K
    SERVICES.EXE SYSTEM 00 1,172 K
    SetiSpy.exe Laura Stalter 01 1,820 K
    SMSS.EXE SYSTEM 00 44 K
    SPOOLSV.EXE SYSTEM 00 2,420 K
    SVCHOST.EXE SYSTEM 00 1,168 K
    SVCHOST.EXE NETWORK SERVICE 00 1,440 K
    SVCHOST.EXE SYSTEM 00 14,860 K
    SVCHOST.EXE NETWORK SERVICE 00 844 K
    SVCHOST.EXE LOCAL SERVICE 00 972 K
    SVCHOST.EXE SYSTEM 00 432 K
    System SYSTEM 00 36 K
    System Idle Process SYSTEM 98 16 K
    taskmgr.exe Laura Stalter 00 5,268 K
    TeaTimer.exe Laura Stalter 00 10,588 K
    WINLOGON.EXE SYSTEM 00 1,008 K
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  3. mamalaura

    mamalaura Thread Starter

    Joined:
    Sep 23, 2007
    Messages:
    7
    ComboFix 07-09-21.2 - "Laura Stalter" 2007-09-23 22:25:52.1 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.64 [GMT -7:00]
    Script execution time was exceeded on script "C:\ComboFix\restore_pt.vbs".
    Script execution was terminated.
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\DOCUME~1\LAURAS~1\DESKTOP\Error Cleaner.url
    C:\DOCUME~1\LAURAS~1\DESKTOP\Privacy Protector.url
    C:\DOCUME~1\LAURAS~1\DESKTOP\Spyware&Malware Protection.url
    C:\DOCUME~1\LAURAS~1\FAVORI~1\Error Cleaner.url
    C:\DOCUME~1\LAURAS~1\FAVORI~1\Privacy Protector.url
    C:\DOCUME~1\LAURAS~1\FAVORI~1\Spyware&Malware Protection.url
    C:\Program Files\VideoAccessCodec
    C:\Program Files\VideoAccessCodec\install.ico
    C:\Program Files\VideoAccessCodec\Uninstall.exe
    C:\WINDOWS\main_uninstaller.exe
    C:\WINDOWS\msmdev.dll
    C:\WINDOWS\msmhost.dll
    C:\WINDOWS\start.exe

    .
    ((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
    .

    2007-09-23 22:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-09-22 23:28 <DIR> d-------- C:\Program Files\SpywareBlaster
    2007-09-20 23:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZangoSA
    2007-09-20 23:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
    2007-09-20 13:02 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Real
    2007-09-18 08:24 <DIR> d--hs---- C:\FOUND.020

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\dllcache\cdm.dll
    2007-07-30 19:19 92504 --a------ C:\WINDOWS\SYSTEM32\cdm.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
    2007-07-30 19:19 549720 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuapi.dll
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\wuauclt.exe
    2007-07-30 19:19 53080 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuauclt.exe
    2007-07-30 19:19 43352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
    2007-07-30 19:19 325976 --a------ C:\WINDOWS\SYSTEM32\dllcache\wucltui.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
    2007-07-30 19:19 203096 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuweb.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll
    2007-07-30 19:19 1712984 --a------ C:\WINDOWS\SYSTEM32\dllcache\wuaueng.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
    2007-07-30 19:18 33624 --a------ C:\WINDOWS\SYSTEM32\dllcache\wups.dll
    2007-07-19 00:00 3583488 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll
    2007-07-02 12:41 200704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
    2007-07-02 12:41 1044480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
    2007-06-27 07:35 823808 --a------ C:\WINDOWS\SYSTEM32\dllcache\wininet.dll
    2007-06-27 07:35 232960 --------- C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll
    2007-06-27 07:34 671232 --a------ C:\WINDOWS\SYSTEM32\dllcache\mstime.dll
    2007-06-27 07:34 6058496 --------- C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll
    2007-06-27 07:34 52224 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll
    2007-06-27 07:34 477696 --a------ C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll
    2007-06-27 07:34 459264 --------- C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll
    2007-06-27 07:34 44544 --------- C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll
    2007-06-27 07:34 384512 --------- C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll
    2007-06-27 07:34 383488 --------- C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll
    2007-06-27 07:34 27648 --a------ C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll
    2007-06-27 07:34 267776 --------- C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll
    2007-06-27 07:34 230400 --------- C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll
    2007-06-27 07:34 193024 --a------ C:\WINDOWS\SYSTEM32\dllcache\msrating.dll
    2007-06-27 07:34 153088 --------- C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll
    2007-06-27 07:34 132608 --a------ C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll
    2007-06-27 07:34 124928 --------- C:\WINDOWS\SYSTEM32\dllcache\advpack.dll
    2007-06-27 07:34 1152000 --a------ C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll
    2007-06-27 07:34 105984 --------- C:\WINDOWS\SYSTEM32\dllcache\url.dll
    2007-06-27 07:34 102400 --------- C:\WINDOWS\SYSTEM32\dllcache\occache.dll
    2007-06-27 01:27 63488 --------- C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe
    2007-06-27 01:27 625152 --------- C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe
    2007-06-27 01:27 13824 --------- C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe
    2007-06-27 00:00 161792 --a------ C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll
    2007-06-26 22:10 317440 --a------ C:\WINDOWS\SYSTEM32\dllcache\unregmp2.exe
    2007-06-25 23:08 1104896 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
    2007-06-25 23:08 1104896 --------- C:\WINDOWS\SYSTEM32\dllcache\msxml3.dll
    2004-01-12 13:38 462 --a------ C:\Program Files\INSTALL.LOG
    2004-01-11 16:32 266 ---hs---- C:\Program Files\desktop.ini
    2004-01-11 16:32 11079 ---h----- C:\Program Files\folder.htt
    2001-09-13 01:03 18911 --a------ C:\Program Files\Install.cd1
    2001-09-13 01:02 17277 --a------ C:\Program Files\Install.cd0
    2001-08-09 12:44 65536 --a------ C:\Program Files\Install.exe
    2001-05-11 15:57 227 --------- C:\Program Files\Schizm.max
    2001-05-11 15:57 227 --------- C:\Program Files\Schizm.ini
    2001-05-11 07:11 3538 --a------ C:\Program Files\Install.cd2
    2001-05-11 07:11 2464 --a------ C:\Program Files\Install.cd3
    2001-05-11 07:11 2062 --a------ C:\Program Files\Install.cd4
    2001-05-11 07:11 1450 --a------ C:\Program Files\Install.cd5
    2001-05-10 05:05 768 --a------ C:\Program Files\Schizm.min
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07AA283A-43D7-4CBE-A064-32A21112D94D}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SystemTray"="SysTray.Exe" [2003-03-31 12:00 C:\WINDOWS\SYSTEM32\systray.exe]
    "AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-01-17 16:14]
    "%%DELETE_VALUE%%"="CreateCD50" []
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-11 19:51]
    "Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [1999-08-30 01:55]
    "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-03-28 07:18]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-02-02 16:17]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
    "Logitech Utility"="Logi_MwX.Exe" [2003-03-04 02:50 C:\WINDOWS\LOGI_MWX.EXE]
    "ZangoSA"="C:\Program Files\Zango\bin\10.0.341.0\ZangoSA.exe" []
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-22 12:20]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
    SetiSpy.lnk - C:\Program Files\[email protected] CLI\SetiSpy.exe [2003-12-29 12:31:32]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-04-27 02:04:44]

    C:\DOCUME~1\LAURAS~1\STARTM~1\PROGRAMS\STARTUP\
    OUTLOOK.lnk - C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE [2001-03-07 08:15:54]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\PROGRAM FILES\QUALCOMM\EUDORA\EUSHLEXT.DLL [2003-03-31 09:14 86016]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    "EnsoniqMixer"=starter.exe
    "Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe
    "LexStart"=lexstart.exe
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
    "QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

    R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
    R1 Pwd_2k;Pwd_2k;C:\WINDOWS\system32\drivers\Pwd_2k.sys
    R1 Udfreadr_xp;Udfreadr_xp;C:\WINDOWS\system32\drivers\Udfreadr_xp.sys
    R3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
    R3 EL90X;3Com EtherLink XL 90X Adapter Driver;C:\WINDOWS\system32\DRIVERS\el90xnd5.sys
    S3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
    rundll32.exeadvpack.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
    "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
    C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-09-10 08:17:30 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"
    - C:\WINDOWS\DEFRAG.EXE
    "2007-08-01 07:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"
    .
    **************************************************************************

    catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-09-23 22:32:42
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???V???????????? C?????Disc [email protected][email protected]?? [email protected][email protected][email protected][email protected][email protected]?T?????????????????B???????????????????????????????????B

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-09-23 22:35:56 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-09-23 22:35
    .
    --- E O F ---
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click Non-Microsoft
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click ALL
      • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select ALL
      in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  5. mamalaura

    mamalaura Thread Starter

    Joined:
    Sep 23, 2007
    Messages:
    7
    Done. Here's the WinPFind3U report. Thanks for the step-by-step!
    mamalaura
     

    Attached Files:

  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    WinPFind3 Fix -


    Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Kill Explorer]
    [Unregister Dlls]
    [Registry - All]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> ZangoSA -> %ProgramFiles%\Zango\bin\10.0.341.0\ZangoSA.exe
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {07AA283A-43D7-4CBE-A064-32A21112D94D} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    < Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    YN -> {93B0FA7B-50F6-41B4-AC7E-612A72CE8C3C} [HKLM] -> %ProgramFiles%\Zango\bin\10.0.341.0\HostIE.dll [Zango Information Window]
    < Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    YN -> {93B0FA7B-50F6-41B4-AC7E-612A72CE8C3C} [HKLM] -> %ProgramFiles%\Zango\bin\10.0.341.0\HostIE.dll [Zango Information Window]
    < Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
    YN -> {07AA283A-43D7-4CBE-A064-32A21112D94D} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    [Registry - Additional Scans - All]
    < Approved Shell Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    YN -> {D653647D-D607-4DF6-A5B8-48D2BA195F7B} [HKLM] -> Reg Data - Key not found [BitDefender Antivirus v8]
    < ContextMenuHandlers - Folder [HKLM] > -> HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\
    YN -> {D653647D-D607-4DF6-A5B8-48D2BA195F7B} [HKLM] -> Reg Data - Key not found [BitDefender Antivirus v7]
    YN -> {D653647D-D607-4DF6-A5B8-48D2BA195F7B} [HKLM] -> Reg Data - Key not found [BitDefender Antivirus v8]
    [Files/Folders - Created Within 30 days]
    NY -> ZangoSA -> %AllUsersAppData%\ZangoSA
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]
    
    
    The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

    when it reboots


    Post the following back here:

    the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
     
  7. mamalaura

    mamalaura Thread Starter

    Joined:
    Sep 23, 2007
    Messages:
    7
    Yes, I did have a problem kind of. WinPFind3u seemed to act stalled after it started when I got a series of Spybot SD windows that said:

    #1
    "Spybot - Search & Destroy has detected an important registry entry that has been changed.
    Category: System Startup global entry
    Change: Value deleted
    Entry: Zango SA"
    Old data: "C:\Program Files\Zango\bin\10.0.341.0\Za.... (couldn't see what the rest was)

    After hitting the close button and getting the same message above which all said the following:

    #2
    Category: Global browser toolbar
    Change: Value deleted
    Entry: {07AA283-43D7-4CBE-A064-32A321112D94

    #3
    Category: Browser Help Object
    Change: Value deleted
    Entry: {07AA283-43D7-4CBE-A064-32A321112D94

    #4
    Category: User-specific browser toolbar
    Change: Value deleted
    Entry: {9380FA7B-50F6-41B4-AC7E-612A726CE8C3

    #5
    Category: Global browser toolbar
    Change: Value deleted
    Entry: {9380FA7B-50F6-41B4-AC7E-612A726CE8C3

    Hitting the close button another got me: #3 repeated, #4 repeated, #3 repeated, and then #4 repeated. SO I finally moved the window aside and found the system reboot request window underneath.

    I am also having an issue with my keyboard. My right shift key is still acting like a "back" button whenever I am online.

    Question: Can I still do word processing on my computer while we're still working on this problem? I do transcription on the side and I'm really far behind.

    Another question: I really miss listening to my Internet radio. It would be a bad idea to try, right?

    Thank you.
    Laura
     

    Attached Files:

  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
    Click on the entry in start menu to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  9. mamalaura

    mamalaura Thread Starter

    Joined:
    Sep 23, 2007
    Messages:
    7
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:39:06 PM, on 09/26/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\[email protected] CLI\SetiSpy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
    N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\LAURA STALTER\Application Data\Mozilla\Profiles\default\kp23xdze.slt\prefs.js)
    N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\LAURA STALTER\Application Data\Mozilla\Profiles\default\kp23xdze.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
    O3 - Toolbar: My Digital Kitchen Bar - {B602FDE0-843C-40D4-880D-D007FBF120D4} - C:\WINDOWS\SYSTEM32\MDKTOO~1.DLL
    O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [%%DELETE_VALUE%%] CreateCD50
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.0.341.0\ZangoSA.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: OUTLOOK.lnk = C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    O4 - Global Startup: SetiSpy.lnk = C:\Program Files\[email protected] CLI\SetiSpy.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.mralliance.org
    O15 - Trusted Zone: http://www.needwoodemporium.com
    O15 - Trusted Zone: *.nwpr.org
    O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{519D651D-6390-4735-99A6-E8C0D91CE73B}: Domain = nwi.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{519D651D-6390-4735-99A6-E8C0D91CE73B}: NameServer = 206.130.130.2,206.130.133.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{62B3CBE5-F9FE-43AD-905A-87F64220D01B}: NameServer = 206.130.130.2 206.130.133.2
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 8228 bytes
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first:

    Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
    To disable SpybotSD TeaTimer:

    Open Spybot and click on Mode and check Advanced Mode
    Check yes to next window.
    Click on Tools in bottom left hand corner.
    Click on System Startup icon.
    Uncheck Teatimer box.
    Click Allow Change box.

    You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

    then

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s

    O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)

    O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.0.341.0\ZangoSA.exe"
     
  11. mamalaura

    mamalaura Thread Starter

    Joined:
    Sep 23, 2007
    Messages:
    7
    I did exactly what you said. Now what? Is there anything else that needs to be done now?
    Thank you again for the help.
    Laura
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That should be clear now so if all problems have stopped


    Turn off system restore by following instructions here
    http://www.thespykiller.co.uk/index.php?page=8
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.
    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/628125

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice