Jump to content
Sign in to follow this  
mattia74

virus Trojan.zlob

Recommended Posts

Please help me,

my Norton Antivirus has detected the virus Trojan.Zlob by I'm not able to remove it.

My internet default page has changed, and I have an alert pop-up in the task bar that says

"your computer is infected with last versone of internet trojan (iworm-attck-v122.02a)" or

"your computer performance has slowed down ..........".

Sometimes my browser is automatically redirected to porno sites.

 

 

Thanks

 

 

This is my HijackThis.log:

 

Logfile of HijackThis v1.98.2

Scan saved at 14.20.35, on 12/24/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\mssearchnet.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Offline Course Player\OlpSynch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Documents and Settings\Mattia\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe

O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm

O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: text/html - {C00BDE70-757E-48E1-AEB5-E279BEDBE9B6} - C:\WINDOWS\System32\diih.dll

O18 - Filter: text/plain - {C00BDE70-757E-48E1-AEB5-E279BEDBE9B6} - C:\WINDOWS\System32\diih.dll

Share this post


Link to post
Share on other sites

You are using an outdated version of HijackThis. Please download HijackThis version 1.99.1 from here:

http://www.downloads.subratam.org/hijackthis.zip .

 

You are also running HijackThis from the desktop; please make sure to unzip it to it's own, permanentfolder. (eg. C:\HijackStuff\HijackThis.exe or you could have a folder named HijackFixers on your desktop and put it in there.) Then please run HijackThis, click Scan and Save log, and post the new log here. I would be happy to take a look at it.

Share this post


Link to post
Share on other sites

Please help me,

my Norton Antivirus has detected the virus Trojan.Zlob by I'm not able to remove it.

My internet default page has changed, and I have an alert pop-up in the task bar that says

"your computer is infected with last versone of internet trojan (iworm-attck-v122.02a)" or

"your computer performance has slowed down ..........".

Sometimes my browser is automatically redirected to porno sites.

Thanks

This is my HijackThis.log:

 

Logfile of HijackThis v1.98.2

Scan saved at 14.20.35, on 12/24/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\mssearchnet.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Offline Course Player\OlpSynch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Documents and Settings\Mattia\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [OLPSYNCH] C:\Program Files\Offline Course Player\OlpSynch.exe

O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm

O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: text/html - {C00BDE70-757E-48E1-AEB5-E279BEDBE9B6} - C:\WINDOWS\System32\diih.dll

O18 - Filter: text/plain - {C00BDE70-757E-48E1-AEB5-E279BEDBE9B6} - C:\WINDOWS\System32\diih.dll

 

Share this post


Link to post
Share on other sites

Thank you,

I have downloaded last version of HijackThis.

This is the new log:

 

Logfile of HijackThis v1.99.1

Scan saved at 14.22.05, on 12/25/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\mssearchnet.exe

C:\WINDOWS\system32\MsgSys.EXE

C:\Program Files\NavNT\vptray.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackStuff\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: Shell=

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{CBADEB47-8121-49CF-BB9B-F683074513A6}: NameServer = 193.70.152.15 193.70.152.25

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SpyDetectorWatcher - Unknown owner - C:\Program Files\SpyDetector\spywatcher.exe (file missing)

Share this post


Link to post
Share on other sites

Download smitRem.exe©noahdfear and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

 

Please download Ewido Security Suite, it is a free version of the program.

  • Install ewido security suite
  • When installing the program, under "Additonal Options" uncheck...
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should now be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.

    (the status bar at the bottom will display "Update successful")

  • Close Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update ewido.

Ewido manual updates

 

Next, please reboot your computer in SafeMode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to the following items
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
  • F2 - REG:system.ini: Shell=
Close all other windows and browsers and click FIX CHECKED

 

Close HiJackThis.

 

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

 

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

 

Run Ewido:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

 

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

 

Reboot back into Windows scan your system with Ad-aware:

 

Ad-aware SE - Download - Home Page

If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.

After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.

Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Once the definitions have been updated:

 

Reconfigure Ad-Aware for Full Scan as per the following instructions:

  • Launch the program, and click on the Gear at the top of the start screen.
  • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
    • "Automatically save logfile"
    • Automatically quarantine objects prior to removal"
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation) - Change to 7 days.
  • Click the "Scanning" button (On the left side).
  • Under Drives & Folders, select "Scan within Archives"
  • Click "Click here to select Drives + folders" and select your installed hard drives.
  • Under Memory & Registry, select all options.
  • Click the "Advanced" button (On the left hand side).
  • Under "Shell Integration", select "Move deleted files to Recycle Bin".
  • Under "Log-file detail", select all options.
  • Click on the "Defaults" button on the left.
  • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  • Click the "Tweak" button (Again, on the left hand side).
  • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
    • "Unload recognized processes during scanning."
    • "Obtain command line of scanned processes"
    • "Scan registry for all users instead of current user only"
  • Under "Cleaning Engine", select the following:
    • "Automatically try to unregister objects prior to deletion."
    • "During removal, unload explorer and IE if necessary"
    • "Let Windows remove files in use at next reboot."
    • "Delete quarrantined objects after restoring"
  • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  • Click on "Proceed" to save these Preferences.
  • Click on the "Scan Now" button on the left.
  • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".

     

    Close all programs except ad-aware.

    Click on "Next" in the bottom right corner to start the scan.

    Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.

    After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Lastly run this online virus scan: ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button

    - Enter your Country

    - Enter your State/Province

    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)

    - Select either Home User or Company

  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
Post the contents
  • of the Panda scan report
  • a new HijackThis Log
  • smitfiles.txt
  • Ewido Log
in a reply to this thread.

Share this post


Link to post
Share on other sites

Hi jwbirdsong,

I followed all steps in your response.

I stopped some scans while scanning my local disk F because on it there are only photos and music.

I'm not able to attach any file to my post....... may be I'm not enable by administrator to do this!

So, you can see them here

 

Thank you

 

------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 13.49.02, on 12/26/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackStuff\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

F2 - REG:system.ini: Shell=

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing)

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SpyDetectorWatcher - Unknown owner - C:\Program Files\SpyDetector\spywatcher.exe (file missing)

------------------------------------------------------------------------------------------------------

 

smitRem © log file

version 2.8

 

by noahdfear

 

 

Microsoft Windows XP [Version 5.1.2600]

The current date is: lun 12/26/2005

The current time is: 13.55.20,48

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

checking for ShudderLTD key

 

ShudderLTD key not present!

 

checking for PSGuard.com key

 

 

PSGuard.com key not present!

 

spyaxe uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Existing Pre-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system32 folder ~~~

 

1024 dir

ld****.tmp

mssearchnet.exe

ncompat.tlb

mscornet.exe

logfiles

 

 

~~~ Icons in System32 ~~~

 

 

 

~~~ Windows directory ~~~

 

 

 

~~~ Drive root ~~~

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 Craig.Peacock@beyondlogic.org

Killing PID 888 'explorer.exe'

 

Starting registry repairs

 

Deleting files

 

 

Remaining Post-run Files

 

 

~~~ Program Files ~~~

 

 

 

~~~ Shortcuts ~~~

 

 

 

~~~ Favorites ~~~

 

 

 

~~~ system32 folder ~~~

 

 

 

~~~ Icons in System32 ~~~

 

 

 

~~~ Windows directory ~~~

 

 

 

~~~ Drive root ~~~

 

 

 

~~~ Miscellaneous Files/folders ~~~

 

 

 

 

~~~ Wininet.dll ~~~

 

CLEAN! :)

 

------------------------------------------------------------------------------------------------------

 

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 15.09.47, 12/26/2005

+ Report-Checksum: A9BDD88B

 

+ Scan result:

 

F:\GIOCHI\Warcraft 3\FFF-Warcraft.3.Reign.of.Chaos_KEYGEN.zip/start.exe -> Downloader.IstBar : Ignored

F:\GIOCHI\Warcraft 3\start.exe -> Downloader.IstBar : Ignored

:mozilla.6:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Hitbox : Ignored

:mozilla.10:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored

:mozilla.11:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored

:mozilla.29:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Hitbox : Ignored

:mozilla.32:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored

:mozilla.34:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Com : Ignored

:mozilla.35:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Com : Ignored

:mozilla.39:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Ignored

:mozilla.40:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored

:mozilla.43:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.2o7 : Ignored

:mozilla.49:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Fastclick : Ignored

:mozilla.58:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Advertising : Ignored

:mozilla.61:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Hitbox : Ignored

:mozilla.65:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

:mozilla.66:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

:mozilla.67:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

:mozilla.68:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

:mozilla.74:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Atdmt : Ignored

:mozilla.76:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Hitbox : Ignored

:mozilla.77:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored

:mozilla.79:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored

:mozilla.80:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored

:mozilla.89:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Advertising : Ignored

:mozilla.115:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Ignored

:mozilla.116:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored

:mozilla.121:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

:mozilla.122:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

:mozilla.123:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

:mozilla.124:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Falkag : Ignored

F:\Mattia\Lubiana\VIDEO.AVI.exe -> Dialer.Generic : Ignored

HKLM\SOFTWARE\Classes\CLSID\{DE3BEBDB-AEE7-4277-8B6E-4EEFFA9508AE} -> Spyware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\TypeLib\{C89E0F84-3C34-43D1-A72C-AF1A160A7C07} -> Spyware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Dbi -> Spyware.BetterInternet : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Cleaned with backup

HKLM\SOFTWARE\sr -> Spyware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\sr\sr -> Spyware.CoolWebSearch : Cleaned with backup

C:\dlltmp.exe -> Trojan.Bizten : Cleaned with backup

C:\Documents and Settings\Mattia\Cookies\mattia@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

C:\WINDOWS\fktyg.exe -> Dropper.Tibsis.a : Cleaned with backup

C:\WINDOWS\homepage.htm -> Spyware.Hijacker.Generic : Cleaned with backup

C:\WINDOWS\m7.exe -> Downloader.Swizzor.bt : Cleaned with backup

C:\WINDOWS\odbs.log -> Spyware.Hijacker.Generic : Cleaned with backup

C:\WINDOWS\rocky2.exe -> Logger.Briss.h : Cleaned with backup

C:\WINDOWS\system\teen.exe -> Not-A-Virus.Pornware.Downloader.Tibsystems.a : Cleaned with backup

C:\WINDOWS\tnmng.exe -> Downloader.Small.il : Cleaned with backup

C:\WINDOWS\winum32.exe -> Downloader.Agent.ap : Cleaned with backup

:mozilla.78:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup

:mozilla.81:F:\Luca\Fisica\Fisica delle Particelle Elementari\Droide5\.mozilla\default\bxr4q96d.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup

 

 

::Report End

 

------------------------------------------------------------------------------------------------------

 

 

Incident Status Location

 

Dialer:dialer.cos Not desinfected C:\Documents and Settings\Mattia\Favorites\exsplorer.lnk

Dialer:Dialer.PK Not desinfected C:\Documents and Settings\Mattia74\Local Settings\Temporary Internet Files\Content.IE5\G9OWMRT3\EPlugin_IT[1].cab[EPlugin.inf]

Adware:Adware/WinTools Not desinfected C:\Program Files\ASUS Features\insthlp.dat

Adware:Adware/CWS Not desinfected C:\WINDOWS\color.css

Adware:Adware/SAHAgent Not desinfected C:\WINDOWS\inf\bi.inf

Spyware:Spyware/BetterInet Not desinfected C:\WINDOWS\inf\biini.inf

Adware:Adware/CWS Not desinfected C:\WINDOWS\system.sam

Adware:adware/cashsaver Not desinfected C:\WINDOWS\system32\CSUninstall.exe

Adware:Adware/Stopzilla Not desinfected C:\WINDOWS\system32\StopzillaBH0.dll

Adware:Adware/IST.ISTBar Not desinfected F:\GIOCHI\Warcraft 3\FFF-Warcraft.3.Reign.of.Chaos_KEYGEN.zip[start.exe]

Adware:Adware/IST.ISTBar Not desinfected F:\GIOCHI\Warcraft 3\start.exe

Share this post


Link to post
Share on other sites

mattia74

 

sorry I seem to have let this post slip through the cracks......

 

Would you boot to safe mode and delte all the files that Panda didn't clean

C:\Documents and Settings\Mattia\Favorites\exsplorer.lnk

 

C:\WINDOWS\color.css

C:\WINDOWS\inf\bi.inf

C:\WINDOWS\inf\biini.inf

C:\WINDOWS\system.sam

C:\WINDOWS\system32\CSUninstall.exe

C:\WINDOWS\system32\StopzillaBH0.dll

F:\GIOCHI\Warcraft 3\FFF-Warcraft.3.Reign.of.Chaos_KEYGEN.zip[start.exe]

F:\GIOCHI\Warcraft 3\start.exe

 

Then reboot and post a fresh HJT log along; with any message regarding how your system is running.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...