Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 Nabes

Nabes

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 29 April 2008 - 09:29 AM

Hey guys, I got a problem with a Trojan virus that doesn't seem to want to disappear. Spybot shows it as:

Win32.AutoRun.aiv: [SBI $BB1CF91C] Settings (Registry key)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Pml Driver HPZ12

I clicked on the Fix Problems button and it says it's fine but when I restart my computer, it's there again. Can anyone give me a hand?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:55 PM

Posted 29 April 2008 - 10:10 AM

http://www.kaspersky.com/virusscanner

please run this scanner and post the log
Chewy

No. Try not. Do... or do not. There is no try.

#3 Nabes

Nabes
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 29 April 2008 - 01:05 PM

Thanks for the fast reply.

Tuesday, April 29, 2008 7:01:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 653861
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\WEICHA~1\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 21798
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:16:11

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6e0.dat Object is locked skipped
C:\WINDOWS\Temp\sqlite_S0uEE0FhTeq0utm Object is locked skipped
C:\WINDOWS\Temp\ZLT065d2.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT065df.TMP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_e94.dat Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\ACER-89F008C36B.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\DOCUME~1\WEICHA~1\LOCALS~1\Temp\NAILogs\UpdaterUI_ACER-89F008C36B.log Object is locked skipped

The webscan didn't find anything, nor did SuperAntiSpyware, but Spybot is still picking it up. Oh, I can't close my McAfee anti-virus down because it can't be disabled (school version).

Memory Scan Report is empty. Scanning Disk Drives.

Edited by Nabes, 29 April 2008 - 01:09 PM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:55 PM

Posted 29 April 2008 - 02:27 PM

http://www.bleepingcomputer.com/forums/ind...st&p=810343

try this safe mode approach
Chewy

No. Try not. Do... or do not. There is no try.

#5 Nabes

Nabes
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 30 April 2008 - 06:07 AM

Thanks for the quick reply, DaChew, but unfortunately that method did not find the trojan and did not remove it (the safe mode scan did not detect it). I checked with spybot again today and it still there. Could this be a false positive? I mean it's lached onto my HP printing software.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:55 PM

Posted 30 April 2008 - 08:21 AM

Could this be a false positive?


It probably is, but has there been an updated printer software/driver released?

I never did like this "push" technology when it all started several years back.

Edited by DaChew, 30 April 2008 - 08:22 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:12:55 PM

Posted 30 April 2008 - 11:31 AM

Hi Nabes,

I have moved your HijackThis log to the Misplaced HJT Logs forum.
Please follow all directions that I've posted, as a reply to your log.
By following these instruction, it will ensure, that your HJT log is taken care of, in the most timely manner.
Your log can be found at this link:
http://www.bleepingcomputer.com/forums/top...tml#entry812216

Since you have posted a HJT log, I'm going to close this topic.
From this point on, the HijackThis Team are the only members you should take advice from, until your log has been declared clean.
If you have any questions, don't hesitate to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users