Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob Trojan Infection: Help!


  • Please log in to reply
20 replies to this topic

#1 Hayley J.

Hayley J.

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 02 October 2008 - 02:01 AM

Hello,

I got this trojan earlier today and have been battling it for nearly five hours. I did all the prep work, as well as using the F-Secure F-spyaxe registry edit, RogueRemover, and SmitFraudFix. The icon on my start bar is gone, as are the pop-ups, but I am not entirely sure it is gone. I would like to know if it is safe for me to allow the changes that my SpyBot S&D pops up with about the registry (asking to remove the things like: command /c del "C:\Program Files\Applications\iebtm.exe" and replace them with nothing). Thank you in advance for any help you can provide. Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:31:26, on 10/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\student\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Documents and Settings\student\Local Settings\Application Data\CyberDefender\cdmyidd.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5798] command /c del "C:\Program Files\UAV\uav1.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9164] cmd /c del "C:\Program Files\UAV\uav1.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5788] command /c del "C:\Program Files\Applications\iebt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5224] cmd /c del "C:\Program Files\Applications\iebt.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8772] command /c del "C:\Program Files\Applications\iebtm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2661] cmd /c del "C:\Program Files\Applications\iebtm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7791] command /c del "C:\Program Files\Applications\iebu.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6458] cmd /c del "C:\Program Files\Applications\iebu.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9681] command /c del "C:\Program Files\Applications\iebtmm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8741] cmd /c del "C:\Program Files\Applications\iebtmm.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7946] command /c del "C:\Program Files\Applications\iebtu.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4749] cmd /c del "C:\Program Files\Applications\iebtu.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2963] command /c del "C:\Program Files\Applications\myd.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6314] cmd /c del "C:\Program Files\Applications\myd.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7414] command /c del "C:\Program Files\Applications\mym.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1367] cmd /c del "C:\Program Files\Applications\mym.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7572] command /c del "C:\Program Files\Applications\myp.ico"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2098] cmd /c del "C:\Program Files\Applications\myp.ico"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202844504203
O18 - Protocol hijack: IW - {F4CB1DC2-BF71-42F5-81AB-4606998A6B56}
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9863 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 02 October 2008 - 04:15 PM

Hi

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 Hayley J.

Hayley J.
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 02 October 2008 - 07:30 PM

I ran this earlier today (before I saw your post) and it found 14 instances of the Zlob Trojan and Trojan BHO. This time, this is my log:

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 3

10/2/2008 8:28:11 PM
mbam-log-2008-10-02 (20-28-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 95014
Time elapsed: 2 hour(s), 48 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




My firewall still keeps saying that another IP is trying to access my computer, though. I will work on the ComboFix and reply soon. Thanks for your help!

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 03 October 2008 - 02:32 PM

Hi

That just shows a clean log, as I'm sure you are aware ...

I would like to know if it is safe for me to allow the changes that my SpyBot S&D pops up with about the registry (asking to remove the things like: command /c del "C:\Program Files\Applications\iebtm.exe" and replace them with nothing).


According to hijackthis you did allow the changes ... which is OK because they do refer to malware ...

What is this other IP which is trying to access your computer ? would you send it to me in PM please, DON'T post it here ... if it's malware related I don't want anyone accidentally going to it.

I await your Combofix log ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 Hayley J.

Hayley J.
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 05 October 2008 - 09:40 PM

Here is my ComboFix log:

ComboFix 08-10-02.04 - Hayley James 2008-10-05 22:21:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.580 [GMT -4:00]
Running from: C:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV


((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-05 20:20 . 2008-10-05 20:20 <DIR> d-------- C:\Documents and Settings\student\Application Data\Verizon
2008-10-05 20:19 . 2008-10-05 21:31 <DIR> d-------- C:\Program Files\Verizon
2008-10-05 20:19 . 2008-10-05 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Verizon
2008-10-02 22:02 . 2008-10-05 21:01 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-10-02 20:50 . 2008-10-02 20:51 1,354,880 --a------ C:\Verizon_Servicepoint_Setup_RPS.exe
2008-10-02 20:06 . 2008-10-02 20:08 3,730,504 --a------ C:\pcdocpro.exe
2008-10-02 17:52 . 2008-10-02 17:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-02 17:49 . 2008-10-02 17:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-02 17:49 . 2008-10-02 17:49 <DIR> d-------- C:\Documents and Settings\student\Application Data\SUPERAntiSpyware.com
2008-10-02 17:46 . 2008-10-02 17:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-02 17:41 . 2008-10-02 17:45 2,885,948 -ra------ C:\ComboFix.exe
2008-10-02 17:34 . 2008-10-02 19:04 34,888,136 --a------ C:\a2AntiMalwareSetup.exe
2008-10-02 17:34 . 2008-10-02 17:45 6,634,008 --a------ C:\SUPERAntiSpyware.exe
2008-10-02 13:31 . 2008-10-02 13:31 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-02 13:31 . 2008-10-02 13:31 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-02 13:31 . 2008-10-02 13:31 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-02 13:31 . 2008-10-02 13:31 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-02 12:34 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-02 12:34 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-02 12:31 . 2008-10-02 12:31 2,189,864 --a------ C:\mbam-setup.exe
2008-10-02 03:49 . 2008-10-02 03:49 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-10-02 03:12 . 2008-10-05 22:26 5,267,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-02 03:12 . 2008-10-05 22:26 62,756 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-02 03:02 . 2008-10-02 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-02 03:01 . 2008-10-02 03:07 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-10-02 03:00 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-10-02 03:00 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-10-02 02:59 . 2008-10-02 02:59 <DIR> d-------- C:\Program Files\Zone Labs
2008-10-02 02:58 . 2008-10-05 22:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-10-02 02:40 . 2008-10-02 02:41 210,416 --a------ C:\zaSetup_en.exe
2008-10-02 02:29 . 2008-10-02 02:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-02 02:29 . 2008-10-02 02:29 812,344 --a------ C:\HJTInstall.exe
2008-10-02 02:07 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-10-02 02:07 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-10-02 02:07 . 2008-10-01 15:51 87,552 --a------ C:\WINDOWS\system32\VACFix.exe
2008-10-02 02:07 . 2008-09-19 12:26 82,944 --a------ C:\WINDOWS\system32\o4Patch.exe
2008-10-02 02:07 . 2008-09-19 12:26 82,944 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-10-02 02:07 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-10-02 02:07 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-10-02 02:07 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-10-02 01:48 . 2007-12-24 17:37 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-02 01:47 . 2008-10-02 01:48 173,456 --a------ C:\FixVundo.exe
2008-10-02 01:45 . 2008-10-02 07:25 <DIR> d-------- C:\Documents and Settings\student\Application Data\HouseCall 6.6
2008-10-02 01:40 . 2008-08-25 11:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-10-02 01:40 . 2008-08-25 11:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-10-02 01:40 . 2008-08-25 11:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-10-02 01:40 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-10-02 01:39 . 2008-10-02 03:55 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-10-02 01:39 . 2008-10-02 01:39 <DIR> d-------- C:\Documents and Settings\student\Application Data\PC Tools
2008-10-02 01:34 . 2008-10-02 01:34 74 --a------ C:\WINDOWS\st_affiliate.ini
2008-10-02 01:24 . 2008-10-02 02:08 2,214 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-02 01:23 . 2008-10-03 08:55 <DIR> d-------- C:\SmitfraudFix
2008-10-02 00:50 . 2008-10-03 08:55 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-10-02 00:39 . 2008-10-02 00:55 15,282,368 --a------ C:\InstallCyberDefenderEDC-595073.exe
2008-10-02 00:39 . 2008-10-02 00:44 3,322,376 --a------ C:\XoftSpySE_Setup.exe
2008-10-02 00:35 . 2008-10-02 00:45 8,078,520 --a------ C:\SpyHunter-Scanner-Install.exe
2008-10-02 00:19 . 2008-10-02 00:21 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-10-02 00:17 . 2008-10-02 00:18 690,568 --a------ C:\rr-free-setup.exe
2008-10-01 23:46 . 2008-10-01 23:46 <DIR> d-------- C:\Documents and Settings\student\Application Data\Malwarebytes
2008-10-01 23:45 . 2008-10-01 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-01 23:41 . 2008-10-02 12:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-01 22:39 . 2008-10-01 22:40 744 --a------ C:\WINDOWS\wininit.ini
2008-10-01 21:48 . 2008-10-02 00:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-01 21:48 . 2008-10-02 01:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-01 21:15 . 2008-10-01 21:42 20,355,856 --a------ C:\sdsetup.exe
2008-10-01 20:00 . 2008-10-01 21:40 15,083,520 --a------ C:\spybotsd160.exe
2008-09-12 13:12 . 2008-09-12 13:33 27,288,880 --a------ C:\QuickTimeInstaller.exe
2008-09-12 08:32 . 2008-09-12 08:32 <DIR> d-------- C:\Program Files\iTunes
2008-09-12 08:32 . 2008-09-12 08:32 <DIR> d-------- C:\Program Files\iPod
2008-09-12 08:32 . 2008-09-12 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-12 08:31 . 2008-09-12 08:31 <DIR> d-------- C:\Program Files\Bonjour
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 02:31 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-10-02 23:06 --------- d-----w C:\Documents and Settings\student\Application Data\.purple
2008-10-02 22:03 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-02 01:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-12 18:51 --------- d-----w C:\Program Files\QuickTime
2008-09-12 12:32 15,360 ------w C:\WINDOWS\system32\oanlvs.dll
2008-09-12 12:30 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-02 20:39 486,128 ----a-w C:\ChromeSetup.exe
2008-08-29 14:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-25 09:04 1,277,688 ----a-w C:\couponprinter.exe
2008-08-25 09:04 --------- d-----w C:\Program Files\Coupons
2008-08-08 01:39 --------- d-----w C:\Program Files\Apple Software Update
2008-08-05 22:23 22,718,496 ----a-w C:\avinstall.exe
2008-07-28 00:52 11,599,984 ----a-w C:\PPGRE31.exe
2008-07-25 21:39 1,495,112 ----a-w C:\install_flash_player.exe
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 02:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-09 13:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-02-21 20:57 98,752 ----a-w C:\WINDOWS\inf\UIU\A11\aeaudio.sys
2008-02-21 20:56 995,328 ----a-w C:\WINDOWS\inf\UIU\A1\W20MLRES.dll
2008-02-21 20:55 956,026 ----a-w C:\WINDOWS\inf\UIU\ialmdd5.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="C:\Documents and Settings\student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5798"="command" [X]
"SpybotDeletingD9164"="del" [X]
"SpybotDeletingB5788"="command" [X]
"SpybotDeletingD5224"="del" [X]
"SpybotDeletingB8772"="command" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-02-21 4632576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-10-05 2776720]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-16 2065648]
"BCMSMMSG"="BCMSMMSG.exe" [2008-02-21 C:\WINDOWS\BCMSMMSG.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Novell\\GroupWise\\grpwise.exe"=
"C:\\Novell\\GroupWise\\notify.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nwiz - nwiz.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\7spn1kt0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://news.bbc.co.uk/
FF -: plugin - C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\7spn1kt0.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - C:\Documents and Settings\student\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 22:28:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-10-05 22:34:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-06 02:33:49

Pre-Run: 75,883,651,072 bytes free
Post-Run: 76,053,323,776 bytes free

218 --- E O F --- 2008-10-02 17:48:01

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 06 October 2008 - 04:43 PM

Hi

Your Combofix log shows just one piece of malware :-

2008-09-12 12:32 15,360 ------w C:\WINDOWS\system32\oanlvs.dll

This is a Zlob trojan which SmitfraudFix was updated to remove yesterday Sunday, October 5, 2008

http://siri-urz.blogspot.com/

first delete the Smitfraudfix program which you have

I am giving you 2 sets of instructions to run SmitfraudFix

The first set of instructions will find the bad files...
The second set of instructions will delete the bad files...

Both sets of instructions will generate a logfile, I need to see BOTH logfiles ... so save the first one somewhere you can find it again, and when you have the second one ... post them both in your next post here

I need to see the log files to make sure the trojan was deleted

First instructions ... find files

Download: SmitfraudFix.zip from :-

http://siri.urz.free.fr/Fix/SmitfraudFix.zip (the file contains both English and French versions)

1. Download to your desktop
2. unzip the zip file to your desktop (they will be extracted to a folder called SmitfraudFix
3. Double-click smitfraudfix.cmd
4. Select 1 and hit Enter to create a report of the infected files
5. find the C:\rapport.txt file and change the name of the text file to REPORT1.txt ... otherwise it will be overwritten when you run the next set of instructions.


Second instructions ... delete files

1. Reboot into >>>safe mode
2. Double-click smitfraudfix.cmd
3. Select 2 and hit Enter to delete infected files
4. You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection
5. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file
6. A reboot may be needed to finish the cleaning process.

The report can be found at the root of the system drive, usually at C:\rapport.txt ... Post the contents of the C:\rapport.txt file + the C:\REPORT1.txt in your next post here... + a new hijackthis log.

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

If after running the program, you end up with a blank desktop background ... Right click the desktop > properties > desktop tab > & reset your background...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 Hayley J.

Hayley J.
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 06 October 2008 - 06:48 PM

Here is the first SmitfraudFix:

SmitFraudFix v2.356

Scan done at 18:38:28.35, Mon 10/06/2008
Run from C:\Documents and Settings\student\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\student


C:\Documents and Settings\student\Application Data


Start Menu


C:\DOCUME~1\student\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Dell Wireless 1450 Dual Band WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 208.254.204.18
DNS Server Search Order: 208.254.204.17

HKLM\SYSTEM\CCS\Services\Tcpip\..\{183C8679-84C4-40D6-8398-65B6E9D0709D}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS1\Services\Tcpip\..\{183C8679-84C4-40D6-8398-65B6E9D0709D}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS2\Services\Tcpip\..\{183C8679-84C4-40D6-8398-65B6E9D0709D}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DC12A7AF-47CF-464E-B4D1-3BCFA44F1A46}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS3\Services\Tcpip\..\{183C8679-84C4-40D6-8398-65B6E9D0709D}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.254.204.18 208.254.204.17


Scanning for wininet.dll infection


End




Here is the second:
SmitFraudFix v2.356

Scan done at 19:36:38.58, Mon 10/06/2008
Run from C:\Documents and Settings\student\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


AntiXPVSTFix

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{183C8679-84C4-40D6-8398-65B6E9D0709D}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS1\Services\Tcpip\..\{183C8679-84C4-40D6-8398-65B6E9D0709D}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS3\Services\Tcpip\..\{183C8679-84C4-40D6-8398-65B6E9D0709D}: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.254.204.18 208.254.204.17
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.254.204.18 208.254.204.17


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End



Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:57, on 10/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\student\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202844504203
O18 - Protocol hijack: IW - {F4CB1DC2-BF71-42F5-81AB-4606998A6B56}
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8066 bytes

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 06 October 2008 - 07:15 PM

HI Hayley

All those logs are clean ...

Please go here and upload this file ...

C:\WINDOWS\system32\oanlvs.dll

http://www.virustotal.com/flash/index_en.html

Click the browse button & browse to the file on your computer

Post back the results ... right click on the page > select all

right click again copy

post the results in your next post here...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 Hayley J.

Hayley J.
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 06 October 2008 - 08:43 PM

Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File oanlvs.dll received on 10.06.2008 10:17:02 (CET)
Current status: finished
Result: 13/36 (36.11%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.10.3.2 2008.10.06 Win-AppCare/Agent.15360.B
AntiVir 7.8.1.34 2008.10.06 TR/Fakealert.adp
Authentium 5.1.0.4 2008.10.05 -
Avast 4.8.1248.0 2008.10.05 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.10.05 Generic11.AOUQ
BitDefender 7.2 2008.10.06 -
CAT-QuickHeal 9.50 2008.10.06 -
ClamAV 0.93.1 2008.10.06 -
DrWeb 4.44.0.09170 2008.10.06 -
eSafe 7.0.17.0 2008.10.05 -
eTrust-Vet 31.6.6131 2008.10.06 -
Ewido 4.0 2008.10.05 -
F-Prot 4.4.4.56 2008.10.05 -
F-Secure 8.0.14332.0 2008.10.06 Hoax.Win32.Agent.gb
Fortinet 3.113.0.0 2008.10.06 -
GData 19 2008.10.06 Win32:Trojan-gen {Other}
Ikarus T3.1.1.34.0 2008.10.06 -
K7AntiVirus 7.10.484 2008.10.04 -
Kaspersky 7.0.0.125 2008.10.06 Hoax.Win32.Agent.gb
McAfee 5398 2008.10.04 FakeAlert-S.dll
Microsoft 1.4005 2008.10.06 -
NOD32 3495 2008.10.04 Win32/TrojanDownloader.FakeAlert.KO
Norman 5.80.02 2008.10.03 -
Panda 9.0.0.4 2008.10.05 -
PCTools 4.4.2.0 2008.10.05 -
Prevx1 V2 2008.10.06 Malicious Software
Rising 20.65.01.00 2008.10.06 -
SecureWeb-Gateway 6.7.6 2008.10.06 Trojan.Fakealert.adp
Sophos 4.34.0 2008.10.06 Mal/FakeAlert-A
Sunbelt 3.1.1704.1 2008.10.05 -
Symantec 10 2008.10.06 Trojan.Fakeavalert
TheHacker 6.3.1.0.101 2008.10.04 -
TrendMicro 8.700.0.1004 2008.10.06 -
VBA32 3.12.8.6 2008.10.05 -
ViRobot 2008.10.6.1407 2008.10.06 -
VirusBuster 4.5.11.0 2008.10.05 -

Additional information
File size: 15360 bytes
MD5...: afb390569432f594fd3a2e71b6c50c12
SHA1..: 62ab9477465eea86cb26ee53cafe569a9925cd59
SHA256: d792c24df3362e2383dabbe83ef502b411f77a3f756ed12095d11e254bba41b9
SHA512: 5a736ccfbb551edddf94af73aad76222c98a74a07bc72b683dde3fe1c397ed87
30e1ecd9ee468803be378953ab3a068f9c10c5f28de4e388efa74dea5b214fa4
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ 4.x (85.8%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.2%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000196b
timedatestamp.....: 0x48de7aa2 (Sat Sep 27 18:25:38 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1452 0x1600 5.45 b085e114b1678993aac023c87e2ec307
.rdata 0x3000 0x714 0x800 4.59 b79aaaf968334344849f7e71d422d2df
.data 0x4000 0x830 0x600 4.82 c39b41a3590933225abc2b9adffaab11
.rsrc 0x5000 0xfa8 0x1000 4.50 695f8e496fa43ec890b786847c7f2475
.reloc 0x6000 0x254 0x400 4.26 2014c200c2bf59f298b9c10f08681f49

( 5 imports )
> user32.dll: LoadIconA, PostQuitMessage, RegisterClassExA, LoadCursorA, SetWindowPos, SetWindowTextA, TranslateAcceleratorA, TranslateMessage, LoadAcceleratorsA, SetTimer, KillTimer, GetMessageA, EndPaint, DispatchMessageA, DefWindowProcA, CreateWindowExA, BeginPaint, wsprintfA
> kernel32.dll: lstrcpynA, WritePrivateProfileStructA, WaitForSingleObject, TerminateProcess, RtlZeroMemory, LoadLibraryA, GetVersionExA, GetTempPathA, GetTempFileNameA, GetProcAddress, GetModuleFileNameW, ClearCommError, CloseHandle, CopyFileExA, CopyFileExW, CreateThread, DefineDosDeviceA, DeleteFileA, ExitProcess, GetLastError, GetLongPathNameA, GetModuleFileNameA
> msvcrt.dll: fscanf, strlen, strcpy, strcmp, strcat, fwrite, fseek, fread, fopen, fclose, atoi, _strlwr, _wfopen
> shlwapi.dll: PathFileExistsA, StrStrA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegOpenKeyA, RegDeleteKeyA, RegCreateKeyA, RegCloseKey

( 6 exports )
aab, aal, allert2, fgllert, qoad, windows
Prevx info: http://info.prevx.com/aboutprogramtext.asp...5E61A008657BFDE

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 07 October 2008 - 05:53 PM

HI Hayley

C:\WINDOWS\system32\oanlvs.dll

Symantec 10 2008.10.06 Trojan.Fakeavalert

Symantec finds it ... you have Symantec AntiVirus, so download & install the latest definitions for your AntiVirus, then run a scan with it ... it should find this file, & any "friends" the file may have, & delete them ... let me know ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 Hayley J.

Hayley J.
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 07 October 2008 - 08:01 PM

The scan said it quarantined 6 IEDefender risks (which looked similar to files found in SmitfraudFix, so maybe not actual problem files...) and 2 counts of things deleted from oanlvs.dll (Trojan.Fakeavalert). What should I do next?

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 October 2008 - 02:20 PM

HI Hayley

That sounds promising, & that may be the last of the malware :thumbsup:

I'd like to see exactly what was was found and quarantined ...

Can you post the Symantec AntiVirus log for me ?

This may help :-

https://kb.berkeley.edu/jivekb/entry.jspa?externalID=2595

It will save as a .csv file ... but you will not be allowed to upload it as that, so you will have to zip it first (you can upload a zip file ... here's how :-

http://www.bleepingcomputer.com/forums/t/141528/bleeping-computer-attachments-to-a-post/

Not much help from the networking forum yet then ... we already knew it was an internal IP address, & it's got nothing to do with the zlob Trojan we are removing ...

Any chance you could run an ipconfig /all on your flat-mates computers ?

in the bottom section :-

Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.100 this is your internal IP... I wonder what theirs are ?
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 Hayley J.

Hayley J.
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 08 October 2008 - 03:56 PM

I have attached the csv file from Symantec in the zip archive, and I will let you know once I have done an ip config on my roommates' computers. Thanks!

Attached Files

  • Attached File  zlob.zip   752bytes   25 downloads


#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 08 October 2008 - 04:26 PM

HI Hayley

The IEDefender are & were no problem, they were part of the fixes being used ...

However the oanlvs.dll is said to be deleted, but I'm not so sure ...

It's original location is C:\WINDOWS\system32\oanlvs.dll & after being deleted it is shown as current location C:\WINDOWS\system32\oanlvs.dll ....

can you have a look in your system32 folder & see if you can see the file ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#15 Hayley J.

Hayley J.
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 09 October 2008 - 04:28 AM

I did not see the file, but unfortunately, while I was asleep, Symantec popped up and said it had deleted another file related to the Trojan.Fakeavalert. I have attached the log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users