hey..im just happy to be online right now...while searching on google for some topics for a project i had to do, i clicked one of the hits...when i clicked it 5 pages opened and it started downloading things to the computer...one of the was i think called "yadio media player", and it wouldnt let me close the boxes...so i did ctrl-alt-dlt and shut them down, went to my programs and removed the program yadio...about 10 sec later, there were 10 icons on my desktop for like poker, dating, blackjack, etc. i put those in the trash and clicked on the internet button, but everytime it tried to open, it said there was an unexpected problem and had to shut down..it did this every time i tried to get on...so i restarted the computer..and the icons were back, and i still coulndnt get to the internet, after the 50th try it opened up i think its own made up internet explorer page, it looked similar but all the buttons looked different, all my favorites were gone, and all i could go to was google...so i ran a bunch of scans..on Xoft spy it said i had 20 high risk infected processes, and 154 high risk registry changes...and since i couldnt get on the internet to ask for help i decided to try out system restore, i restored it to 3 days earlier, and it seems to be fine right now, i can get on the internet and things seem to be working...heres my log incase something is still wrong..thanks.



Logfile of HijackThis v1.99.1
Scan saved at 4:22:48 PM, on 10/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\ZyXEL\ZyAIR B-200 Wireless LAN USB Adapter\WLUSBCFG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Brent\Desktop\Things\HijackThis.exe
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ZyAIR B-200 Wireless LAN USB Adapter Utility.lnk = C:\Program Files\ZyXEL\ZyAIR B-200 Wireless LAN USB Adapter\WLUSBCFG.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1129415681811
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129415675021
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dl l
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper (? 6Q??'????8) - Unknown owner - C:\WINDOWS\system32\ntua32.exe" /s (file missing)



P.S. the bottom two have been there forever and i cant delete them for some reason

One of our excellent PC Security staff members will look at this today for you.

Hi brent , lets clean that up.

Before using HijackThis Please Do the Following:



Show hidden files and folders:

For XP:

1. On the Tools menu in Windows Explorer, click Folder Options.
2. Click the View tab.
3. Under Hidden files and folders, click Show hidden files and folders.
4. If you see a warning message, click Yes.
5. Click Apply.
6. Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Please download CCleaner


Click Start>Run and type in: services.msc
Click OK
In the Services window find:

Remote Administrator Service
and
Remote Procedure Call (RPC) Helper

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > “delete an NT service”
Copy and past:

r_server
and:
? 6QÔõ'ª´ÆÐ8


Click OK.


Then boot in safemode and fix these with hjt:

Now delete the files in bold and run Ccleaner.



I see you already have Ewido , can you please run that and post the log and then run a new hjt scan and post that log to.


I also see you dont have a firewall , you can have a look in the download section for some free ones , i would also recommend to pay winupdate a visit.

Hello

I also recommend the following once Joe's advice is complete.

Go to Start > Run > type NOTEPAD and press OK. Copy/paste in the following to the blank document...
...and then close/save the document as file type All Files and as anyfilename.REG. Then execute the script and confirm the prompt to merge into the Registry, so as to remove these value set by [Trojan ZLOB]. The good news on this malware is that its corresponding server for which it attempts to communicate with, appears to be offline, I hope indefinitely.

Further to that, I have a feeling more work is needed to remove what is CoolWebSearch. For now, please run Trend Micro's [CW Shredder] and after installing, proceed to "Fix". Then we'll take things from your next post.

Regards,
M_M

k i did everything u told me exept i couldnt finish the ewido log because i needed to go...so i will do that tommorow....so far ive been getting this window pop up for something called powercleaner for deleting porn or something...ive tried deleting that several times, but it always pops up...unitll this boot up after safe mode, it didnt show up...when running adaware and ewido, i got a lot of notifications for something caled istbar, high threat...so im not sure about that...something very strange is that my mouse keeps going from regular arrow to the arrow with the hourglass next to it every 1/2 second, non stop...its been doing that for hours and nothing is loading...heres my hijack this


Old log deleted.

Hmmm... all the old infections from last week are gone...but you have a load of new infections now...:icon_scra


If you dont follow my advice and update windows and get a firewall you are gona get infected over and over again.







Before using HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

1. On the Tools menu in Windows Explorer, click Folder Options.
2. Click the View tab.
3. Under Hidden files and folders, click Show hidden files and folders.
4. If you see a warning message, click Yes.
5. Click Apply.
6. Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

1. Click the Start button.
2. Right-click My Computer, and then click Properties.
3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Download CCleaner
Download Process Explorer by Systernals from HERE
Also download KillBox by Option^Explicit from HERE

Go to add and remove programs and uninstall "Accoona Search Assistant" and "ISTbar" if present.


Then boot up in SAFE MODE and stay in safe mode untill the entire fix is done.(hit f8 when booting up)

Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of qlink32.dll once and then click the kill button.
After you have killed all of the qlink32.dll's under winlogon click OK.
Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of qlink32.dll then click the kill button.
Once you have done that click OK again.


Open the registry (click ?Start?, choose ?Run? and enter ?regedit?) and find the key HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run. Delete the ?IST Service? entry, if it is there.

Open a DOS command prompt window (form Start->Programs->Accessories) and enter the following commands:
cd "%WinDir%\System" <enter
regsvr32 /u "\Program Files\ISTbar\istbar.dll" <enter


Next run HijackThis and place a check beside each of the following.
(if still present)

After that , delete the files in bold and then run Ccleaner.

Double click on Killbox.exe and then check the delete on reboot button.
Enter the following filepath and filename into the Full path of file to delete box

C:\WINDOWS\System32\qlink32.dll

Click the red circle with the white x and allow your computer to reboot.

After your computer has rebooted delete the ?ISTbar? folder inside youre Program Files folder.
Finally you can restore your normal i.e. search settings (Internet Options->Programs->Reset Web Settings)

Then please run Hijackthis and Ewido again and post the new logs.