can't get rid of "your computer is infected"

[festivus]

I have removed C\winstall.exe and the link to http://www.spyaxe.com/uninstall/uninstallers.zip is no longer good as advised on this topic in an earlier thread.
I have installed zone alarm, registry mechanic and run windows online beta scan, but I still cannot rid my machine of this heinous pop up. If I click on the window or the white x in the red dot, nothing happens.
when I try to restore my system, it runs as if it will work, but then just ends up saying I can't restore it to that date (which is any and every date)
any suggestions would be greatly appreciated.
another weird thing on my machine is the appearance of two very small rectangles that pop up occasionally.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions.

Then, go and read both these threads by RBS. follow all the instructions exactly.

How to remove Trojans and its ilk! and How to remove Begin2search / coolwebsearch and other nasties.

Then see. How to post your Hijackthis log-file as an ATTACHMENT.

Only post a HJT log, after doing the above.

Regards Howard :wave: :wave:

 

[festivus]

here's my hjt log

H,
Thanks, I read, ran and rebooted and still having the problems.
Here's my jht log:

Logfile of HijackThis v1.99.1
Scan saved at 1:52:59 PM, on 3/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winstall.exe
C:\SCANNER\EXE32\IBMSCAN.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\COMPUS~1\wcs2000.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Aladdin Systems\StuffIt\stuffit.exe
C:\Documents and Settings\Lu\My Documents\My Archives\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mozilla.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mozilla.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0EBEA7C8-212E-32A1-322C-20398BF328E4} - (no file)
O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - (no file)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll
O2 - BHO: (no name) - {6EFE237F-E9E3-ED3D-372C-29F01DF5D4BA} - (no file)
O2 - BHO: (no name) - {B212D577-05B7-4963-911E-4A8588160DFA} - (no file)
O2 - BHO: (no name) - {CE150238-9AA9-4621-170D-224521B73B52} - (no file)
O2 - BHO: (no name) - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\IBMSCAN.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141779732218
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BB1E70-2E8A-41B0-BC58-2ACA189A25E6}: NameServer = 205.188.146.145
O20 - Winlogon Notify: st3i - C:\WINDOWS\
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: eredozahtesh (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[howard_hopkinso]

I can tell just from looking at your HJT log, that you have not followed the instructions I gave you.

Go back and follow all the instructions.

Regards Howard

 

[festivus]

update, downloading ewido

spyaudit reported this:
Found on Your Computer:
3
0
17
0

Identity Theft
PC Corruption
Runaway Pop-up Ads
Sluggish Performance
Behavior Surveillance
Details
Trojan Horses Detected: 3
A Trojan horse is dangerous and can let a hacker control your PC. Even worse, a Trojan may install spyware programs on your computer to steal your information.

Trojan Horses:
trojan-downloader-domcom
2nd-thought
trojan-downloader-2pursuit

Do I really have to pay $30. to remove these? I've already run zonealarm and removed stuff.
As for alluria -- it will not download and run properly.

I will try ewido now, and hope to get the trial offer, which didn't work last try, (I am trying to avoid dropping $ if possible. )
As for Panda, I downloaded that once about 2 years ago and it totally screwed up my machine.
That is my update, I will continue with ewido now.
Thanks again for your help.

 

[Tedster]

no, you don't have to pay $

use multiple antitrojan horse programs and a decent anti-virus.

spybot, ad-aware, microsft, ewido, etc....

boot in safe mode. turn off system restore, then run the removal programs.