can't get rid of "your computer is infected"

By festivus
Mar 8, 2006
  1. I have removed C\winstall.exe and the link to is no longer good as advised on this topic in an earlier thread.
    I have installed zone alarm, registry mechanic and run windows online beta scan, but I still cannot rid my machine of this heinous pop up. If I click on the window or the white x in the red dot, nothing happens.
    when I try to restore my system, it runs as if it will work, but then just ends up saying I can't restore it to that date (which is any and every date)
    any suggestions would be greatly appreciated.
    another weird thing on my machine is the appearance of two very small rectangles that pop up occasionally.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

  3. festivus

    festivus TS Rookie Topic Starter

    here's my hjt log

    Thanks, I read, ran and rebooted and still having the problems.
    Here's my jht log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:52:59 PM, on 3/8/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Aladdin Systems\StuffIt\stuffit.exe
    C:\Documents and Settings\Lu\My Documents\My Archives\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0EBEA7C8-212E-32A1-322C-20398BF328E4} - (no file)
    O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - (no file)
    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
    O2 - BHO: (no name) - {621D36CC-09F4-44F6-BA4C-C8FBEAA00207} - C:\WINDOWS\adsldpbk.dll
    O2 - BHO: (no name) - {6EFE237F-E9E3-ED3D-372C-29F01DF5D4BA} - (no file)
    O2 - BHO: (no name) - {B212D577-05B7-4963-911E-4A8588160DFA} - (no file)
    O2 - BHO: (no name) - {CE150238-9AA9-4621-170D-224521B73B52} - (no file)
    O2 - BHO: (no name) - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - (no file)
    O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
    O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [ Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\IBMSCAN.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Hijacked Internet access by New.Net
    O15 - Trusted Zone: *
    O15 - Trusted Zone: *
    O15 - Trusted Zone: * (HKLM)
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -,0,0,83/
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -,0,0,20/
    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BB1E70-2E8A-41B0-BC58-2ACA189A25E6}: NameServer =
    O20 - Winlogon Notify: st3i - C:\WINDOWS\
    O20 - Winlogon Notify: style32 - C:\WINDOWS\
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
    O23 - Service: eredozahtesh (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I can tell just from looking at your HJT log, that you have not followed the instructions I gave you.

    Go back and follow all the instructions.

    Regards Howard :)
  5. festivus

    festivus TS Rookie Topic Starter

    update, downloading ewido

    spyaudit reported this:
    Found on Your Computer:

    Identity Theft
    PC Corruption
    Runaway Pop-up Ads
    Sluggish Performance
    Behavior Surveillance
    Trojan Horses Detected: 3
    A Trojan horse is dangerous and can let a hacker control your PC. Even worse, a Trojan may install spyware programs on your computer to steal your information.

    Trojan Horses:

    Do I really have to pay $30. to remove these? I've already run zonealarm and removed stuff.
    As for alluria -- it will not download and run properly.

    I will try ewido now, and hope to get the trial offer, which didn't work last try, (I am trying to avoid dropping $ if possible. )
    As for Panda, I downloaded that once about 2 years ago and it totally screwed up my machine.
    That is my update, I will continue with ewido now.
    Thanks again for your help.
  6. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    no, you don't have to pay $

    use multiple antitrojan horse programs and a decent anti-virus.

    spybot, ad-aware, microsft, ewido, etc....

    boot in safe mode. turn off system restore, then run the removal programs.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...