Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 8th, 2008, 6:26am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Trojans (incl. Zlob) deleted, keep coming back 		« Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Trojans (incl. Zlob) deleted, keep coming back  (Read 317 times)
dodito
Newbie
*





   


Posts: 7
Trojans (incl. Zlob) deleted, keep coming back
« on: May 31st, 2008, 9:55am »		 Quote Quote  Modify Modify
I just discovered the opportunity to post on here and I really appreciate it. After I fixed the Trojan problem (so my credit card info is safe) you have one more loyal fan and customer as I have been duly impressed already !  
 
I will post a final log + HijackThis log later, but perhaps someone would have some comments already, and in any case it won't fit into 1 message.  
 
This is what happened (in sequential order):  
 
I downloaded a torrent for Adobe Fireworks. (OK I know I know).. I clicked on the file and McAfee went crazy with messages it was a Trojan (I had scanned the file by McAfee before).  
 
After it seemed OK I did a full system scan with McAfee, and it quarantined 2 Trojans. However at that moment, my system started to give errors, and had to shut down, restarted, gave errors, shut down etc.  
 
I brought it to a local store here (I temporarily live in Salamanca, Spain) , and they were able to remove one trojan that caused these system reboots, using different software (amongst others NOD32). All seemed OK until they loaded Fastscan Trojan Remover which gave messages about Backdoor Haxdoor:  
 
Loaded BY Windows Registry  
globalroot\systemroot\system32\drivers\clbdriver.sys
Called from the registry Key  
HKLM\SYSTEM\CurrentControlSet\Services\clbdriver
Appears to contain Backdoor.Haxdoor  
 
They gave it back to me saying that there were too many Trojans, I should forget about it and reinstall Windows. Backup my files on an external drive in Safe Mode first. Great, but I also had 2 external HD's connected when this happened so.. how could I be sure, but they thought it wouldn't be a problem.  
 
Obviously not satisfied I started to search and I discovered Trojan Hunter. I first did a scan without updating the files and not in safe mode and it found 1 more trojan:  
 
Found adware file: C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll (Adware.WildTangent.100)
Found adware file: C:\WINDOWS\wt\wtvh.dll (Adware.WildTangent.100)
Quarantined file C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll
Quarantined file C:\WINDOWS\wt\wtvh.dll
 
Then I discovered your page about killing malware and posting a HijackThis log here.  I ran Trojan Hunter, SuperAntiSpyware and Bitdefender. I updated all manually, and I ran the first 2 in Safe Mode. It found quite a bit.  
 
So I decided to run it again. And now Trojan Hunter, nor SuperAntiSpyware found anything. I am now running Kaspersky online instead of Bitdefender to have as much as spread as possible. After that I will post the HiJackThis log as well, after I will have run it.  
 
What bothers me is that FastScan Trojan Remover keeps giving the above mentioned message, even though noone else seems to find something. It sometimes doesn't find it and then a message reappers again after a reboot.  
 
Here are the logs of the FIRST run, where several trojans were found and removed (and although the second run did not result in any more trojans being found I will give these for completeness sake) and I will give the Kaspersky results + HijackThis log later this evening.  
 
Trojan Hunter found a second trojan:  
Found adware file: C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax (Adware.WildTangent.102)
Found adware file: C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax (Adware.WildTangent.102)
Quarantined file C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax
Quarantined file C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax
 
Then SuperAntiSpyware found these:  
 
SuperAntiSpyware Professional Trial:  
Quarantined:  
Trojan-DNSChanger.Codec:  
HKCR\VAC.Video
HKCR\VAC.Video\CLSID  
 
Trojan.Downloader/Media-Codec
C:\Documents and settings\moi\desktop\videoaccesscodecinstall.exe
 
Trojan.Donwloader/NMC-Rich  
C:\Program Filer\RichVideoCodex
C:\Program Filer\RichVideoCodex\install.ico
C:\Program Filer\RichVideoCodex\RichVideoCodex.ocx  
C:\Program Filer\RichVideoCodex\Uninstall.exe  
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec  
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec (DisplayIcon- C:\Program Filer\RichVideoCodex\install.ico
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec (uninstallString - C:\Program Filer\RichVideoCodex\Uninstall.exe  
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\RichVideoCodec (Displayname – Rich Video Codec v 1.6)  
 
Trojan.Net-MVS/VPS  
HKCR\MSVPS.MSVPSApp  
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer  
 
Then BitDefender found these:  
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP209\A005022 1.sys
 
Infected with: Rootkit.1506
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP209\A005022 1.sys
 
Deleted
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP210\A005197 6.dll
 
Infected with: Generic.Malware.FYVd!w.540019EB
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP210\A005197 6.dll
 
Disinfection failed
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP210\A005197 6.dll
 
Deleted
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 0.ocx
 
Detected with: Adware.NetAdware.CW
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 0.ocx
 
Disinfection failed
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 0.ocx
 
 
Deleted
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0000
 
 
Infected with: Trojan.Downloader.Zlob.XXX
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0000
 
 
Disinfection failed
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0000
 
 
Deleted
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)
 
 
Update failed
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0004
 
 
Infected with: BehavesLike:Trojan.TaskDisabler
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0004
 
 
Disinfection failed
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0004
 
 
Deleted
 
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)
 
 
Update failed
 
« Last Edit: May 31st, 2008, 11:58am by dodito » IP Logged
dodito
Newbie
*





   


Posts: 7
Re: Trojans deleted, keep coming back ?
« Reply #1 on: May 31st, 2008, 10:03am »		 Quote Quote  Modify Modify
I did Kaspersky on the system files and it again found 1 trojan: Since Bitdefender fixes the trojans, I will now do a full Bitdefended scan again.  
 
KASPERSKY ONLINE SCANNER REPORT
 Saturday, May 31, 2008 5:00:52 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 31/05/2008
 Kaspersky Anti-Virus database records: 818172
------------------------------------------------------------------------ -------
 
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
 
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\moi\LOCALS~1\Temp\
 
Scan Statistics:
Total number of scanned objects: 24600
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:20:40
 
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOGObject is lockedskipped
C:\WINDOWS\pmkret.dllInfected: Trojan.Win32.Vapsup.pyskipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{EA633580 -62B0-4E5E-BCCE-B4F0F2457E7F}.crmlogObject is lockedskipped
C:\WINDOWS\SchedLgU.TxtObject is lockedskipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9F2C7640-A8EB-41FE-9637-DAC8 6D94ED28}.binObject is lockedskipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.logObject is lockedskipped
C:\WINDOWS\Sti_Trace.logObject is lockedskipped
C:\WINDOWS\system32\config\AppEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\defaultObject is lockedskipped
C:\WINDOWS\system32\config\default.LOGObject is lockedskipped
C:\WINDOWS\system32\config\Media Ce.evtObject is lockedskipped
C:\WINDOWS\system32\config\SAMObject is lockedskipped
C:\WINDOWS\system32\config\SAM.LOGObject is lockedskipped
C:\WINDOWS\system32\config\SecEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\SECURITYObject is lockedskipped
C:\WINDOWS\system32\config\SECURITY.LOGObject is lockedskipped
C:\WINDOWS\system32\config\softwareObject is lockedskipped
C:\WINDOWS\system32\config\software.LOGObject is lockedskipped
C:\WINDOWS\system32\config\SysEvent.EvtObject is lockedskipped
C:\WINDOWS\system32\config\systemObject is lockedskipped
C:\WINDOWS\system32\config\system.LOGObject is lockedskipped
C:\WINDOWS\system32\h323log.txtObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTRObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VERObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAPObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATAObject is lockedskipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAPObject is lockedskipped
C:\WINDOWS\wiadebug.logObject is lockedskipped
C:\WINDOWS\wiaservc.logObject is lockedskipped
C:\WINDOWS\WindowsUpdate.logObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\Perflib_Perfdata_aa8.datObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DF2535.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DF2B44.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DF5F31.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DF6AF3.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DF79F1.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DF7CE7.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DFCF97.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DFDE1B.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~DFE746.tmpObject is lockedskipped
C:\DOCUME~1\moi\LOCALS~1\Temp\~WRF0000.tmpObject is lockedskipped
 
Scan process completed.
IP Logged
dodito
Newbie
*





   


Posts: 7
Re: Trojans deleted, keep coming back ?
« Reply #2 on: May 31st, 2008, 10:11am »		 Quote Quote  Modify Modify
Hi there,  
 
I am sorry to swamp the forum with my own replies.. but I just read on Kaspersky Forum that others had a similar name Trojan warning which turned out to be a false positive.  
 
Mine was: Trojan.Win32.Vapsup.py
Others had: Trojan.Win32.Vapsup.epc  
 
Anyway thought I'd mention it before people did extra effort for nothing.  
IP Logged
dodito
Newbie
*





   


Posts: 7
Re: Trojans (incl. Zlob) deleted, keep coming back
« Reply #3 on: May 31st, 2008, 12:23pm »		 Quote Quote  Modify Modify
I have just finished Bitdefender, and it gave Zlob Trojans again.  
 
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)=>lzma_solid_nsis0000
Infected with: Trojan.Downloader.Zlob.XXX
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)=>lzma_solid_nsis0000
Disinfection failed
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)=>lzma_solid_nsis0000
Deleted
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)
Update failed
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)=>lzma_solid_nsis0004
Infected with: BehavesLike:Trojan.TaskDisabler
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)=>lzma_solid_nsis0004
Disinfection failed
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)=>lzma_solid_nsis0004
Deleted
C:\Program Files\ESET\infected\RRJ1ODBA.NQF=>(Quarantine-PE)=>(NSIS o)
Update failed
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0000
Infected with: Trojan.Downloader.Zlob.XXX
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0000
Disinfection failed
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0000
Deleted
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)
Update failed
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0004
Infected with: BehavesLike:Trojan.TaskDisabler
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0004
Disinfection failed
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)=>lzma_solid_nsis0004
Deleted
C:\System Volume Information\_restore{4B1AEA69-B95E-4955-A6A6-502CD89CDA69}\RP214\A005234 2.exe=>(NSIS o)
Update failed
IP Logged
dodito
Newbie
*





   


Posts: 7
Re: Trojans (incl. Zlob) deleted, keep coming back
« Reply #4 on: May 31st, 2008, 12:38pm »		 Quote Quote  Modify Modify
And finally this is the HijackThis Log file, made after reboot after the bitdefender scan.  
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:57 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\dla\DLACTRLW.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\QuickTime\qttask.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\SJLabs\SJphone\SJphone.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {17D69B84-065B-4F88-AFE8-3BA9B4907501} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\DLACTRLW.exe
O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: XS4ALL Softphone.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/moi/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
 
--
End of file - 12161 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5662
Re: Trojans (incl. Zlob) deleted, keep coming back
« Reply #5 on: May 31st, 2008, 4:53pm »		 Quote Quote  Modify Modify
Welcome to the forum dodito,
 
You have been very busy trying to get your system cleaned up.  
 
Please do this as the next steps in your cleanup.  Your Hijackthis log is not showing much of a problem at this point.
 
1.  Make all your files and folders visible as per the procedure in the link below.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Using Search or Windows Explorer, locate the following file and delete it.  You may have to boot into SAFE MODE to get rid of this file.  The file is located in C:\Windows
 
pmkret.dll
 
3.  Clean out the Quarantine folder for ESET.
 
-  Go to the folder named infected located at C:\Program Files\ESET\infected
 
-  Delete all files in the folder named infected.
 
4.  Run another Hijackthis scan (with your computer booted into Normal Mode)
 
5.  When the scan is completed, place a check mark in the box next to each of the following items.  BE SURE that these are the only items checked.
 
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
 
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
 
O3 - Toolbar: (no name) - {17D69B84-065B-4F88-AFE8-3BA9B4907501} - (no file)
 
6.  Close your browser.
 
7.  Click on Fix Checked located at the lower left of the Hijackthis window.  Confirm that you want HiJackthis to fix these items and let it do it.
 
8.  Close Hijackthis and immediately reboot.
 
9.  After the reboot is completed, clean out your System Volume Information folder per the procedure in the link below.
 
http://www.misec.net/forum/board/FAQ/1139255588
 
10.  Your Java is severely out-of-date  
Quote:
Program Files\Java\jre1.5.0_04

 
-  For security reasons, update your Java to jre1.6.0_06.  
 
-  Go to the link below and download/install Java Runtime Environment (JRE) 6 Update 6  
 
http://java.sun.com/javase/downloads/index.jsp
 
-  After you install the above update, it is very important that you remove all older previous versions of Java.  You do this through Add or Remove Programs in the Control Panel.  
 
Then please do this:
 
1.  Go to the link below and download program Combofix.exe and save it on your desktop.    
    
http://download.bleepingcomputer.com/sUBs/ComboFix.exe    
    
2.  Temporarily de-activate all your security programs EXCEPT your software firewall.    
    
3.  Close down as many programs as you can (programs in the Notification Tray-  next to the clock).    
    
4.  Close your browser.    
    
5.  Double click on Combofix.exe to execute it and follow the instructions.    
    
Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
    
-  When Combofix.exe is finished, it will save a log on your system.      
    
6.  Post the Combofix log back here    
    
7.  Run Hijackthis and post a new HiJackthis scan log back here.    
 
 
Then do this:
 
1.  Delete Combofix.exe from your desktop.
 
2.  Delete the Combofix log from your system.
 
3.  Delete the Combofix quarantine folder named Qoobox from your system....if this folder exists.  
 
 
 
 
« Last Edit: May 31st, 2008, 5:02pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
dodito
Newbie
*





   


Posts: 7
Re: Trojans (incl. Zlob) deleted, keep coming back
« Reply #6 on: Jun 8th, 2008, 6:26am »		 Quote Quote  Modify Modify
Hi there,  
 
I wanted to thank you for your fast reply and help. What happened was that after I posted everything when I checked again I read that the server had a blowout.. I waited another day, and since I felt very nervous about it all I basically backup normal files (not executables) in safe mode, ran a few scans of the external hd's and wiped my HD clean and reinstalled windows.. quite drastic but so far I haven't had problems.  
 
Will still buy the Trojan Hunter though, and I am running it now on a trial. Same with SuperAntiVirus..  
 
Thanks so much once again
 
Patrick
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5662
Re: Trojans (incl. Zlob) deleted, keep coming back
« Reply #7 on: Jun 8th, 2008, 9:09am »		 Quote Quote  Modify Modify
You are very welcome and thanks much for your support.  Smiley
 
Good luck on your journey to keeping your system out of the hands of the cybercrooks.  It's a constant struggle and vigilance...that's for sure.
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
dodito
Newbie
*





   


Posts: 7
Re: Trojans (incl. Zlob) deleted, keep coming back
« Reply #8 on: Jun 8th, 2008, 10:32am »		 Quote Quote  Modify Modify
I know.. they are a pest aren't they...
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register