Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Tenacious piece of malware - trojan. AV can't kill it. dds, attach and hijackthis.log attached

  • This topic is locked This topic is locked
4 replies to this topic

#1 hjwp


  • Members
  • 4 posts
  • Local time:07:26 PM

Posted 07 May 2009 - 03:24 PM

(updated fri 8th may)

trying to help a friend with a virus on his PC. sure looks like he's got one... tried a few antivirus programs, avira seems the most successful at detecting it. It calls the virus TR/Crypt.ZPACK.Gen Trojan or TR/Alureon.BK , but seems unable to delete the files it resides in - running the scan again finds the same virus.

I have run the DDS script as instructed, report pasted below and attach file attached. I also attach the hijackthis report, in case it's of any use.

virus is causing the occasional blue screen. it also seems to intercept requests to browse the c: drive and send them to a .com file with a long garbage name in c:\recycler... It seems to live in a few .tmp files in the root of c: - and a bunch of other places too.

thanks in advance for your help. what wonderful guys and gals you are!


since I wrote this post I have managed to remove couple of viruses detected by the trend online scanning tool. However, I suspect there is still something left as I've been having trouble getting spybod s&d to install properly.... perhaps it's just paranoia at this stage??

updated DDS below. updated attach & hijackthis attachments also, with _new.

DDS (Ver_09-03-16.01) - NTFSx86
Run by lorelun at 18.12.28,32 on 08/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2047.1365 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Programmi\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Programmi\ASUS\EPU-4 Engine\FourEngine.exe
C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\DAEMON Tools Lite\daemon.exe
C:\Programmi\Spybot - Search & Destroy\SDFiles.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\lorelun\Desktop\dds.scr
C:\Documents and Settings\lorelun\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://it.home.jzip.com/search?fr=i3752
uSearch Page = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/sp/*http://it.yahoo.com
uSearch Bar = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/sb/*http://it.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\programmi\winamp toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\programmi\spybot - search & destroy\SDHelper.dll
BHO: jZip Webmail plugin: {647fd14a-c4f1-46f4-8fc3-0b40f54226f7} - c:\programmi\jzip\WebmailPlugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\programmi\daemon tools toolbar\DTToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\programmi\winamp toolbar\winamptb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\programmi\daemon tools lite\daemon.exe" -autorun
uRun: [SpybotSD TeaTimer] c:\programmi\spybot - search & destroy\TeaTimer.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Six Engine] "c:\programmi\asus\epu-4 engine\FourEngine.exe" -r
mRun: [TrueImageMonitor.exe] c:\programmi\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\programmi\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\programmi\file comuni\acronis\schedule2\schedhlp.exe"
mRun: [WinampAgent] c:\programmi\winamp\winampa.exe
mRun: [avgnt] "c:\programmi\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Winamp Search - c:\documents and settings\all users\dati applicazioni\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programmi\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\programmi\spybot - search & destroy\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer =,
TCP: {89131D2F-8224-4275-8B03-53C2F22931FD} =,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lorelun\datiap~1\mozilla\firefox\profiles\6m4u8hlc.default\
FF - component: c:\documents and settings\lorelun\dati applicazioni\mozilla\firefox\profiles\6m4u8hlc.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

============= SERVICES / DRIVERS ===============

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2009-3-27 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [2009-3-27 971552]
R1 avgio;avgio;c:\programmi\avira\antivir desktop\avgio.sys [2009-5-8 11608]
R2 AntiVirScheduler;Avira AntiVir Scheduler;c:\programmi\avira\antivir desktop\sched.exe [2009-5-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programmi\avira\antivir desktop\avguard.exe [2009-5-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-8 55640]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-3-27 603904]

=============== Created Last 30 ================

2009-05-08 17:18 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-08 16:58 <DIR> --d----- c:\programmi\Spybot - Search & Destroy
2009-05-08 16:58 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\Spybot - Search & Destroy
2009-05-08 01:05 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-08 01:05 <DIR> --d----- c:\programmi\Avira
2009-05-08 01:05 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\Avira
2009-05-07 19:00 <DIR> --d----- c:\documents and settings\lorelun\.housecall6.6
2009-05-07 16:50 0 a------- c:\windows\system32\commonpriv.log.lock
2009-05-07 00:52 <DIR> --d----- c:\programmi\AVG
2009-05-07 00:52 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\avg8
2009-05-06 11:35 121 a------- c:\windows\bdagent.INI
2009-05-06 11:32 81,984 a------- c:\windows\system32\bdod.bin
2009-05-06 11:31 <DIR> --d----- c:\programmi\BitDefender
2009-05-06 10:42 <DIR> --d----- c:\programmi\Winamp Toolbar
2009-05-06 10:42 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\Winamp Toolbar
2009-05-06 10:42 <DIR> --d----- c:\windows\RegisteredPackages
2009-04-15 15:05 <DIR> --d----- c:\docume~1\alluse~1\datiap~1\Blizzard
2009-04-15 13:41 <DIR> --d----- c:\programmi\file comuni\Blizzard Entertainment
2009-04-11 02:42 805,400 a----r-- c:\windows\system32\tmp42B8.tmp

==================== Find3M ====================

2009-03-29 17:03 345,382 a------- c:\windows\system32\perfh010.dat
2009-03-29 17:03 47,814 a------- c:\windows\system32\perfc010.dat
2009-03-27 23:20 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-03-27 23:20 362,240 a------- c:\windows\system32\TuneUpDefragService.exe
2009-03-27 21:33 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-03-27 21:33 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-03-27 21:12 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-03-27 20:50 971,552 a------- c:\windows\system32\drivers\tdrpm174.sys
2009-03-27 20:50 540,000 a------- c:\windows\system32\drivers\timntr.sys
2009-03-27 20:50 44,704 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-03-27 20:50 134,272 a------- c:\windows\system32\drivers\snman380.sys
2009-03-25 20:51 20,747 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-25 01:04 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-24 23:41 2,678 a------- c:\windows\java\packages\data\OPNV3V17.DAT
2009-03-24 23:41 558,142 a------- c:\windows\java\packages\LZTFRZBT.ZIP
2009-03-24 23:41 2,678 a------- c:\windows\java\packages\data\1F1RHNZD.DAT
2009-03-24 23:41 155,995 a------- c:\windows\java\packages\FX7RVXZ1.ZIP
2009-03-24 23:41 2,678 a------- c:\windows\java\packages\data\V9F5VN13.DAT
2009-03-24 23:41 2,678 a------- c:\windows\java\packages\data\FTBLNZ93.DAT
2009-03-24 23:41 2,678 a------- c:\windows\java\packages\data\DVZHJLNR.DAT
2009-03-24 23:39 21,840 a------- c:\windows\system32\emptyregdb.dat
2009-02-09 16:56 1,846,272 a------- c:\windows\system32\win32k.sys

============= FINISH: 18.12.33,87 ===============

Attached Files

Edited by hjwp, 08 May 2009 - 11:17 AM.

BC AdBot (Login to Remove)


#2 hjwp

  • Topic Starter

  • Members
  • 4 posts
  • Local time:07:26 PM

Posted 08 May 2009 - 12:14 PM

Can confirm there's definitely some kind of virus - the symantec online scanner found something:

F:\Laurentiu\install_bsplayer228.964clip.exe.exe is infected with Trojan.Zlob
C:\Documents and Settings\lorelun\Impostazioni locali\Temp\tmp14.tmp is infected with Backdoor.Tidserv
C:\Documents and Settings\lorelun\Impostazioni locali\Temp\tmp16.tmp is infected with Backdoor.Tidserv
C:\Documents and Settings\lorelun\Impostazioni locali\Temp\tmp18.tmp is infected with Backdoor.Tidserv
C:\Documents and Settings\lorelun\Impostazioni locali\Temp\tmp1A.tmp is infected with Backdoor.Tidserv
C:\Documents and Settings\lorelun\Impostazioni locali\Temp\tmp4.tmp is infected with Backdoor.Tidserv
C:\Documents and Settings\lorelun\Impostazioni locali\Temp\tmpBD7.tmp is infected with Backdoor.Tidserv

I deleted all these files. the windows live scanner also said it had detected and deleted some viruses, but wouldnt let me cut & paste the details... they seemed to be trojans - maybe a name like 'alureon'??

#3 hjwp

  • Topic Starter

  • Members
  • 4 posts
  • Local time:07:26 PM

Posted 08 May 2009 - 12:16 PM

PS our man is quite far behind on his windows updates, but I hesitated to download and install them, given the existing infected status. should i install the windows updates anyways?
Hello hjwp,

Given some of what I see there, I'd suggest disconnecting the computer from the internet and from other computers at this point. Please note: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 08 May 2009 - 09:55 PM.

#4 hjwp

  • Topic Starter

  • Members
  • 4 posts
  • Local time:07:26 PM

Posted 19 May 2009 - 03:01 AM

In the end we decided to reinstall windows (upgrade to windows 7 actually). I left the d: drive in place and reinstalled windows on the c: partition. I've since run a couple of different antiviruses on the d: drive and found nothing, so I'm pretty confident that it's killed it. Now running the Kaspersky beta as an AV.

Thanks Orange Blossom for your reply. Thanks to all those involved in the site for their excellent charitable work, even if I have jumped the gun before anyone was able to get stuck into the problem.

Im happy for the topic to be closed (don't think I can do it myself?). Alternatively, if anyone wants to write a quick post expressing any concerns that the infection may not have been completely cleaned, then that would be welcomed - but no urgency I guess.

#5 KoanYorel


    Bleepin' Conundrum

  • Members
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:26 PM

Posted 19 May 2009 - 10:34 AM

Thanks for informing us.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users