PC up and runnig no task bar but vivamex and zinblog still hanging around pls help

Fredil, I don't know if this is important but after runnig HijackThis
the line RO-HKCU\software/Microsoft\Internet explorer\Main,Start Page = Http://zinblog.com? I highlight it and click "info" on the HijackThis page.......this is what I cam up with. Maybe you will find something in there

* HijackThis v1.99.1 *
Written by Merijn - merijn@spywareinfo.com
http://www.merijn.org/files/hijackthis.zip
http://www.merijn.org/index.html

See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services

Command-line parameters:
* /autolog - Automatically scan the system, save a logfile and open it
* /ihatewhitelists - ignore all internal whitelists
* /uninstall - remove all HijackThis Registry entries, backups and quit

* Version history *

[v1.99.1]
* Added Winlogon Notify keys to O20 listing
* Fixed crashing bug on certain Win2000 and WinXP systems at O23 listing
* Fixed lots and lots of 'unexpected error' bugs
* Fixed lots of inproper functioning bugs (i.e. stuff that didn't work)
* Added 'Delete NT Service' function in Misc Tools section
* Added ProtocolDefaults to O15 listing
* Fixed MD5 hashing not working
* Fixed 'ISTSVC' autorun entries with garbage data not being fixed
* Fixed HijackThis uninstall entry not being updated/created on new versions
* Added Uninstall Manager in Misc Tools to manage 'Add/Remove Software' list
* Added option to scan the system at startup, then show results or quit if nothing found
[v1.99]
* Added O23 (NT Services) in light of newer trojans
* Integrated ADS Spy into Misc Tools section
* Added 'Action taken' to info in 'More info on this item'
[v1.98]
* Definitive support for Japanese/Chinese/Korean systems
* Added O20 (AppInit_DLLs) in light of newer trojans
* Added O21 (ShellServiceObjectDelayLoad, SSODL) in light of newer trojans
* Added O22 (SharedTaskScheduler) in light of newer trojans
* Backups of fixed items are now saved in separate folder
* HijackThis now checks if it was started from a temp folder
* Added a small process manager (Misc Tools section)
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.


I proceeding.

 

Bleh. All useless. I know all that

Continue, and may luck be with you

 

Fredil, I do know know what you are referring to but I just completed all the previous steps and zinblog is still there. I found the "Run"icon is safe mode and after rebooting it it is not available for use.

Here is what i found after your last instruction to run i safe mode.

HKey_LOCAL_MACHINE
ACPI
DSDT
KM400
AWRDACPI
000010
That's is no RUN click on.

 

OK so what your saying is that in safe mode when you click on the start button the "RUN" command is listed but when rebooting it is no longer there ?? OK left click on start button,once the popup appears right clik on any open space,(a popup should appear called "properties" using left clik, clik on it,ok you should be looking at a window that has two tabs assuming your using the XP STYLE START MENU

Below the picture there are two options to change the style of windows,assuming you have not touched anything then clik on the button to the right that says CUSTOMISE (the one that's not greyed out),in the next window that appears clik the ADVANCED tab, this area comes in handy put a tick to all the boxes that say "DISPLAY AS MENU" while your at it look for RUN COMMAND and put a tick in it's box,clik OK on the window (it will disappear)then clik APPLY on the window that is still showing then clik OK,now RUN will show in the list when you clik on the start button.






IF you followed above instructions in regards to "DISPLAY AS MENU" it made a small change, to see it's effects drag your mouse and hover over MY DOCS,MY COMPUTER,CONTROL PANEL,MY PICTURES,MY MUSIC ,it's a bit weird at first but once you get used to it you'll find it handy

 

No, it's not that, Zinblog and Viva TermeX both disable the Run and Regedit functions.

However, try that anyways. I will see what I can find.

 

Completed everything using the tick in each DISPLY AS MENU. RUN was not anywhere. However I was doing some exploring on my own and found a command prompt in as C:\ the MS DOS command script. I located it by clicking the START and under ACCESSORIES. Can that be it?

 

Yes using command prompt will do the same thing & brings up the regedit,just type regedit then hit the enter button on the keyboard,you should now be looking at the registry editor window

 

Fredil, after I posted the previous message and came back here I had to use the START button. The MS DOS C:\ command prompt is there exactly as is written here> "C:\ command prompt".

 

Fredil, after I posted the previous message and came back here I had to use the START button. The MS DOS C:\ command prompt is there exactly as is written here> "C:\ command prompt".

The registry is available but no "zinblog" can be found or "RUN" command.

 

RUN is nothing more than a way to get to REGEDIT,the other way to get to the REGEDIT is thru the COMMAND PROMPT ,if you are using the command prompt you do not look for RUN nor do you need it,just do as i said earlier,open the COMMAND PROMPT,you should be looking at a window that is DOS,assuming your logged in as administrator,you should see a flashing _ ,all you need do now is type REGEDIT (lower case is ok) ,another window will open with two columns the left column is the folder tree and should be listed like this
MY COMPUTER
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG

OK if you see the above in an open window,you have achieved what fred was trying to get you to do with RUN so at this point RUN is not needed as you bypassed it,you now need to go back to freds earlier post (number 19) & follow those instructions and any others that say you need to go into HKEY,basicly cliking on the boxes to the left of the wording HKEY,will expand the tree,

So clik on the boxes HKEY_CURRENT_USER & HKEY_LOCAL_MACHINE,both should now be expanded and show more folders in alphabetical order,you need to scroll down to the SOFTWARE folder & expand that and follow freds instructions.


REMEMBER YOU DO NOT NEED TO LOOK FOR RUN AS YOU ARE USING THE COMMAND PROMPT

 

ScorpNZ. I was so caught up in looking for the "Run" command to get it on my start menu that I did not realize it was the same. However I had done all the folder keys and HKeys and did not find "zinblog or viva termex" except I do not recall being accessing as ädmninistrator". I will go back and do it as administrator.

 

Can't remember exactly but if your able to get to the registry thru the command prompt then my guess is you are logged in as admin,as any changes you attempt will be refused by a popup.

Check both of the software folders in these two for the zinblog etc
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER

You'll have to wait till fred gets back,but at this stage and assuming it works, change your home page if IE browser is still going to zinblog,do this by going to "network and internet connections" in CONTROL PANEL,clik on INTERNET OPTIONS,use delete button or backspace,delete http://zinblog.....,replace it with home page of your choice then clik apply then ok,it most probably would'nt hurt to run ccleaner at this stage also clik on ccleaner TOOLS button,clik STARTUP button,in the list is there any entry that refers to zinblog or that other one,if so clik on the entry so it's high lighted and use the delete button to remove it,it's up to you if you want to do a registry clean using ccleaner but i accept no responsability,tho i've never had a prob there's no gaurantees


Once you get your comp back in good order you'll have to deactivate SYSTEM RESTORE then REACTIVATE SYSTEM RESTORE

 

ScorpNZ and Fredil,
I got rid of Zinblog and recovered the Run icon on the START page. I did it under a new administrator which I named Supervisor. That is the instructions I received when I tried to modify setting under Administrator. The new user SUPERVISOR brought up the original system as when I first bought the computer. That is the only way I can fix the setting under ADMINISTRATOR. I ought to be able to remove Zinblob from that part of the system under Adminstrator using SUPERVISOR according to the instructions.

I want to thank both of you ScorpNZ and Fredil especially Fredil that stayed with me for so long. It help me to gain some knowledge of WinXP since my knowlege with the DOS program.

 

You'll need to turn off system restore follow any instructions the pop ups say,then renable this will stop you getting reinfected if you do a system roll back later,also install the software called ERUNT from the link below or create a shortcut (for later use if you don't want to instal right away),the reason why i say install it is it can do what system restore can't and that's do a roll back there will be no message saying NO CHANGES MADE CHOOSE ANOTHER RESTORE POINT,the only thing that will be necessary with erunt is a regular clean out of it's save folder as everytime you restart your comp it will create a backup of the registry by date,you can save any of them to rom if you wish,it's a great tool and boy it's saved my bacon on a few occasions when syst restore could'nt which is why i no longer have system restore enabled


http://www.larshederer.homepage.t-online.de/erunt/

 

Also, search for the MVPS HOSTS file on Google. This will protect you from further infections by blocking known bad websites.