BleepingComputer.com: Infected with Trojan-Spy.Zbot, Trojan-Downloader.Tiny.ID

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Infected with Trojan-Spy.Zbot, Trojan-Downloader.Tiny.ID Don't know how to remove it

#1 User is offline   scottatmu 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 7
  • Joined: 09-January 09

Posted 09 January 2009 - 03:15 PM

I ran a few anti-spyware programs to check my computer out as it was acting a little weird and got alerted to:

Trojan-Spy.Zbot
Trojan-Downloader.Tiny.ID

And can't figure out how to remove them.

What was causing my concern with the Internet Explorer .exe file was not being removed from my processes after I closed it down and also was having problems where I couldn't open up any more window or right-click and pull up any menus.


DDS (Ver_09-01-07.01) - NTFSx86
Run by Scott at 14:02:19.54 on Fri 01/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Disabled:{145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - No File
BHO: Disabled:{206E52E0-D52E-11D4-AD54-0000E86C26F6} - No File
BHO: ReadMe-BHODemon - No File
BHO: Disabled:{22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File
BHO: Disabled:{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: Disabled:{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Disabled:{7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Disabled:{AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Disabled:{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Disabled:{C451C08A-EC37-45DF-AAAD-18B51AB5E837} - No File
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: : {206e52e0-d52e-11d4-ad54-0000e86c26f6} - c:\progra~1\freshd~1\freshd~1\fdcatch.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AnVir Task Manager] "c:\program files\anvir task manager\AnVir.exe" Minimized
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CMCService] "c:\program files\ati\catalyst media center\CMCService.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
uPolicies-explorer: SearchOptionsEx = 1087227 (0x1096fb)
uPolicies-explorer: ExSearchOptions = 1153197 (0x1198ad)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 0 (0x0)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
mPolicies-explorer: <NO NAME> =
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\nuclea~1\videoget\plugins\VIDEOG~1.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\7gcrug9v.default\
FF - plugin: c:\documents and settings\scott\application

data\mozilla\firefox\profiles\7gcrug9v.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 4\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 4\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-09 13:36 268 a---h--- C:\sqmdata02.sqm
2009-01-09 13:36 244 a---h--- C:\sqmnoopt02.sqm
2009-01-09 11:53 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-09 11:53 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-09 11:53 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-09 11:53 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-09 11:53 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-09 11:53 <DIR> --d----- c:\docume~1\scott\applic~1\PC Tools
2009-01-06 08:40 244 a---h--- C:\sqmnoopt01.sqm
2009-01-06 08:40 232 a---h--- C:\sqmdata01.sqm
2009-01-04 21:40 87,040 a------- c:\windows\system32\dllcache\wiafbdrv.dll
2009-01-04 21:39 103,936 a------- c:\windows\system32\dllcache\sx.sys
2009-01-04 21:38 495,616 a------- c:\windows\system32\dllcache\sblfx.dll
2009-01-04 21:37 14,336 a------- c:\windows\system32\dllcache\padrs412.dll
2009-01-04 21:36 1,875,968 a------- c:\windows\system32\dllcache\msir3jp.lex
2009-01-04 21:35 6,656 a------- c:\windows\system32\dllcache\kbdlk41a.dll
2009-01-04 21:34 8,576 a------- c:\windows\system32\dllcache\hidgame.sys
2009-01-04 21:33 28,062 a------- c:\windows\system32\dllcache\dp83820.sys
2009-01-04 21:32 13,312 a------- c:\windows\system32\dllcache\chglogon.exe
2009-01-04 21:31 82,172 a------- c:\windows\system32\dllcache\bopomofo.nls
2009-01-04 21:31 66,728 a------- c:\windows\system32\dllcache\big5.nls
2009-01-04 21:31 45,056 a------- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-01-04 21:31 19,456 a------- c:\windows\system32\dllcache\agt0804.dll
2009-01-04 21:31 19,456 a------- c:\windows\system32\dllcache\agt0412.dll
2009-01-04 21:31 19,456 a------- c:\windows\system32\dllcache\agt0411.dll
2009-01-04 21:31 19,456 a------- c:\windows\system32\dllcache\agt040d.dll
2009-01-04 21:31 19,456 a------- c:\windows\system32\dllcache\agt0404.dll
2009-01-04 21:31 19,456 a------- c:\windows\system32\dllcache\agt0401.dll
2009-01-04 21:31 5,632 a------- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-01-04 21:19 13,824 a------- c:\windows\system32\dllcache\bulltlp3.sys
2009-01-04 21:18 24,576 a------- c:\windows\system32\dllcache\agcgauge.ax
2009-01-04 21:17 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-01-02 16:56 <DIR> --d----- c:\program files\a-squared Free
2008-12-29 09:53 <DIR> --d----- c:\docume~1\scott\applic~1\Moyea
2008-12-29 09:53 <DIR> --d----- c:\program files\Moyea

==================== Find3M ====================

2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-30 10:16 87,608 a------- c:\docume~1\scott\applic~1\inst.exe
2008-10-30 10:16 47,360 a------- c:\docume~1\scott\applic~1\pcouffin.sys
2008-10-24 05:10 453,632 a------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 a------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 07:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-03-30 20:45 256 a------- c:\documents and settings\scott\pool.bin
2008-02-26 15:33 14,290 a------- c:\program files\settings.dat
2006-11-03 15:37 92,064 a------- c:\documents and settings\scott\mqdmmdm.sys
2006-11-03 15:37 79,328 a------- c:\documents and settings\scott\mqdmserd.sys
2006-11-03 15:37 66,656 a------- c:\documents and settings\scott\mqdmbus.sys
2006-11-03 15:37 25,600 a------- c:\documents and settings\scott\usbsermptxp.sys
2006-11-03 15:37 22,768 a------- c:\documents and settings\scott\usbsermpt.sys
2006-11-03 15:37 9,232 a------- c:\documents and settings\scott\mqdmmdfl.sys
2006-11-03 15:37 6,208 a------- c:\documents and settings\scott\mqdmcmnt.sys
2006-11-03 15:37 5,936 a------- c:\documents and settings\scott\mqdmwhnt.sys
2006-11-03 15:37 4,048 a------- c:\documents and settings\scott\mqdmcr.sys
2005-10-26 09:55 19,942,400 a------- c:\program files\alroker.avi
2004-08-24 23:16 3,205 a------- c:\program files\news_insert.php
2005-05-20 08:44 511,464 a--sh--- c:\windows\cvsssv.ini2
2005-11-10 23:11 273,058 a--sh--- c:\windows\system32\ghhkj.bak1

============= FINISH: 14:03:36.10 ===============

Attached File(s)


#2 User is offline   suebaby41 

  • W.A.M. (Women Against Malware)
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,247
  • Joined: 03-January 05
  • Location:South Carolina, USA

Posted 25 January 2009 - 01:18 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate
Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 User is offline   suebaby41 

  • W.A.M. (Women Against Malware)
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 6,247
  • Joined: 03-January 05
  • Location:South Carolina, USA

Posted 02 February 2009 - 08:55 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate
Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users