Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maybe Picked Up A Trojan


  • Please log in to reply
15 replies to this topic

#1 slave

slave

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Valparaiso, IN
  • Local time:05:00 AM

Posted 30 June 2007 - 12:29 PM

Hi, I think I may have picked up a Trojan virus (TROJ_ZLOB.BHO). Our antivirus program is not picking up viruses now, but we keep getting a constant error message when we try to go to various websites. The error message reads: The instruction at "0x4369b59f" referenced memory at "0x000000e0". The memory could not be "read". Error message gives options of "ok" or "Cancel". When you click on either you lose the whole page and returns to the desktop.

We have tried calling tech support with our interent provider and they could not help us. They said our interenet connection was strong and that the problem was with Interent Explorer. The technician even uninstalled and reinstalled Internet Explorer and the problem still exists. My wife also went to Internet Explorer website and uninstalled and reinstalled Internet Explorer herself and still have the problem. We then went to Microsoft.com and downloaded and installed all the updates for our computer.

My wife found a way around the error messages but it is a pain. She found that she could copy the address through "copy and paste" (before the error message came up) and pasted into "run", found in the start menu. When going this route you could get through to the website. Once she was in the website when she clicked on any links she would get the error message again and have to go through the whole routine again.

We have tried to go into Windows Task Manager to find the virus and delete it but we could not find anything. We also searched for the virus through search files and folders in the start menu and could not find it. Is it possible that using our Trend scan and activating it to remove the virus did so, but it left behind damage to Internet Explorer and/or restarted in the background?

Side note: When sending a test email to ourselves with the words "virus removal tools" the error message would come up, but not when virus related words were not used. We also had problems getting into Microsoft.com to get updates. We had to do the "run" route described above in order to get in. Found tears wouldn't work either lol.

Some important information
Operating system: Windows XP with SP2 (unit has been set for Microsoft automatic updates)
Internet: Verizon DSL 256K (New to DSL but problem started before this when we had dial up).
Antivirus Program: Trend Micro PC-cillin Internet Security 2007
CPU: Intell Pentium 4
size: 1.0 GB SDRAM memory
Web Browser: Internet Explorer 7

BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 30 June 2007 - 12:40 PM

Hi, {slave}, I am Oldf@rt, and I will attempt to help you with your problem. Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Please remember that I am still a trainee, and I may ask you to post a hijack this log. If turns out to be the case, I will provide complete instructions.

OF
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 slave

slave
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Valparaiso, IN
  • Local time:05:00 AM

Posted 30 June 2007 - 03:52 PM

Hi, Oldf@rt,
Okay, we did everything your instructions said and it seems we still have the problem. Below is a copy of the report you requested. What do we do now? Could the damage done by the viruses still be there and if so what should we do to fix them. I could only open the report through Excel but it looks like everything is there that was on the Dr.Web program. Thanks for your help.
slave

The Dr. Web scan report

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
Process.exe;C:\Program Files\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Program Files\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
A0083402.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783;Trojan.Popuper;Deleted.;
A0083416.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783;Trojan.Popuper;Deleted.;
A0083465.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784;Trojan.Popuper;Deleted.;
A0083485.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784;Trojan.Popuper;Deleted.;
A0083566.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785;Trojan.Popuper;Deleted.;
A0083580.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785;Trojan.Popuper;Deleted.;
A0083686.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786;Trojan.Popuper;Deleted.;
A0083725.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786;Trojan.Popuper;Deleted.;
A0083750.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786;Trojan.Popuper;Deleted.;
A0083777.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786;Trojan.Popuper;Deleted.;
A0083804.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786;Trojan.Popuper;Deleted.;
A0083829.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786;Trojan.Popuper;Deleted.;
A0083860.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787;Trojan.Popuper;Deleted.;
A0083885.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787;Trojan.Popuper;Deleted.;
A0083898.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787;Trojan.Popuper;Deleted.;
A0083912.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787;Trojan.Popuper;Deleted.;
A0083925.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787;Trojan.Popuper;Deleted.;
A0083941.dll;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787;Trojan.Popuper;Deleted.;
A0083948.exe;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787;Tool.Prockill;Incurable.Moved.;
A0085006.exe;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1788;Tool.Prockill;Incurable.Moved.;
A0085008.exe;C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1788;Tool.ShutDown.11;Incurable.Moved.;
mscpdrv.exe;C:\WINDOWS\system32\Win Types;BackDoor.Assassin.20;Deleted.;

#4 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 30 June 2007 - 04:49 PM

Please restart the computer in safe mode with networking. Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
If you are unable to run this scan please let us know.

OF
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#5 slave

slave
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Valparaiso, IN
  • Local time:05:00 AM

Posted 30 June 2007 - 06:30 PM

Hi,
I ran the bitdefender scan, below is the results. The problem still exists. All help is greatly appreciated.

slave



Bitdefender scan report

BitDefender Online Scanner



Scan report generated at: Sat, Jun 30, 2007 - 18:06:07





Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;







Statistics

Time
00:56:49

Files
316848

Folders
9469

Boot Sectors
3

Archives
15447

Packed Files
16627




Results

Identified Viruses
10

Infected Files
44

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
67




Engines Info

Virus Definitions
636101

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\D9.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\D9.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\D9.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DA.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DA.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DA.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DB.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DB.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DB.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DC.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DC.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DC.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DD.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DD.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DD.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DE.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DE.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DE.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DF.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DF.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\DF.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E0.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E0.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E0.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E1.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E1.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E1.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E2.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E2.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E2.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E3.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E3.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E3.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E4.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E4.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E4.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E5.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E5.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E5.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E6.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E6.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E6.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E7.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E7.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E7.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E8.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E8.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E8.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E9.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E9.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\E9.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EA.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Agent.BKD

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EA.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EA.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EC.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Zlob.BOR

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EC.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EC.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\ED.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Zlob.BNG

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\ED.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\ED.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EE.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Small.CX

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EE.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EE.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EF.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Zlob.AZC

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EF.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\EF.tmp=>(Quarantine-4)
Deleted

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F0.tmp=>(Quarantine-4)
Infected with: Trojan.Downloader.Zlob.AZM

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F0.tmp=>(Quarantine-4)
Disinfection failed

C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\F0.tmp=>(Quarantine-4)
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783\A0083403.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783\A0083403.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783\A0083403.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783\A0083418.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783\A0083418.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1783\A0083418.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784\A0083466.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784\A0083466.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784\A0083466.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784\A0083486.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784\A0083486.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1784\A0083486.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785\A0083567.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785\A0083567.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785\A0083567.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785\A0083582.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785\A0083582.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1785\A0083582.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083687.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083687.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083687.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083727.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083727.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083727.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083751.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083751.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083751.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083778.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083778.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083778.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083806.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083806.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083806.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083830.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083830.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1786\A0083830.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083861.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083861.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083861.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083887.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083887.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083887.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083900.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083900.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083900.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083913.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083913.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083913.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083926.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083926.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083926.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083939.exe
Infected with: Trojan.Downloader.Zlob.BFJ

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083939.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083939.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083942.exe
Infected with: Trojan.Downloader.Zlob.ABW

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083942.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083942.exe
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083947.exe=>(NSIS o)=>lzma_solid_nsis0000
Infected with: Trojan.Downloader.Zlob.ZUT

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083947.exe=>(NSIS o)=>lzma_solid_nsis0000
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083947.exe=>(NSIS o)=>lzma_solid_nsis0000
Deleted

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1787\A0083947.exe=>(NSIS o)
Update failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1832\A0091289.exe
Infected with: Backdoor.Assasin.2.0.A

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1832\A0091289.exe
Disinfection failed

C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP1832\A0091289.exe
Deleted

#6 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 30 June 2007 - 07:07 PM

Thanks for the quick work, I would like you to try this: Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If this does not fix your problem I will ask you to post the Hijack this log. I will provide instructions once you have completed the SAS procedure. Please let us know the results.

OF
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#7 slave

slave
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Valparaiso, IN
  • Local time:05:00 AM

Posted 30 June 2007 - 09:53 PM

Okay, it still didn't work. I again went into a website (wheeloffortune.com) to test it out and it still did the same thing with the error message. Also on every website I went to download these scans I had to go in through "run" in the start menu. You have seen all the logs I have done, does it look like we are severely infected and if so can it possibly be cleared up? This is really frustrating. Again any help is appreciated. I don't really understand the hijacking log thing so if you could please explain that to me it would help. Below is the log of the SuperantiSpyware scan.

slave


SuperantiSpyware scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/30/2007 at 09:32 PM

Application Version : 3.9.1008

Core Rules Database Version : 3263
Trace Rules Database Version: 1274

Scan type : Complete Scan
Total Scan Time : 01:47:52

Memory items scanned : 575
Memory threats detected : 0
Registry items scanned : 7117
Registry threats detected : 6
File items scanned : 119505
File threats detected : 15

#8 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 30 June 2007 - 11:45 PM

Lets get you to the Hijack this log: We have a dedicated team of malware experts here at bleeping computer, I am still training to become one.

go to this forum : http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/, this is where you post the log.

this is the link to get hijack this: http://download.bleepingcomputer.com/Merij...ackthis_sfx.exe

here is the link to the Preparation Guide for use before posting a HijackThis Log. Most of the steps you have already accomplished. please skip to step # 9. read the rest of the instructions, and use my previous link.

Edited by oldf@rt, 30 June 2007 - 11:48 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#9 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 30 June 2007 - 11:50 PM

On a side note, see if you can download and install firefox,

here: http://www.mozilla.com/products/download.h...&lang=en-US
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#10 slave

slave
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Valparaiso, IN
  • Local time:05:00 AM

Posted 01 July 2007 - 11:26 AM

Hi Oldf@rt,
Just a note to let you know that we followed all your instructions to Hijackthis and posted it in the Hijackthis Logs and Analysis. As far as the Firefox download, we downloaded that a few years ago and it greatly screwed up our computer and we had to have a technician come and fix our computer and take it out. He told us it was Firefox that did it. So we are really hestitant about downloading that program.
I have been disabled since 1989 and with an 8 year old and the wife going to college (starting at Valparaiso (IN) for her Master's this fall) we just cannot afford to have a tech help us.
The words Thank you is totally insignificant but I have to say them anyway, Thank You! You have been a great help. Hopefully the Hijackthis forum will be able to help. This made us more aware of our Trend Micro settings and we have adjusted them (Wife {Master} has had to do all of this as I am a real dinosaur when it comes to computers lol).

slave

#11 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 01 July 2007 - 12:37 PM

Right now the browser that I am using is FF 2.0.0.4, with no problems. if you had problems earlier with FF, it may have been an earlier beta version. As a tech (A+, MCP) I will say that I have yet to see any computer messed up by Firefox.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#12 slave

slave
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Valparaiso, IN
  • Local time:05:00 AM

Posted 01 July 2007 - 02:40 PM

Thanks for the information, but we have a question. If we download and install FireFox do we need to uninstall Internet Explorer or can we use either one when we want? Also do we set FF as the default browser and if so how?
Again thanks
slave

#13 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 01 July 2007 - 02:46 PM

If you download and install firefox, you can still continue to use internet explorer. Firefox will ask if you want it to be the default browser when you initially run the setup.

Since you have posted the hijack this log, please do not make any further changes to your computer, this may delay or hinder your hjt team member's fixes.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#14 slave

slave
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Valparaiso, IN
  • Local time:05:00 AM

Posted 01 July 2007 - 06:03 PM

Hi, I think we may have fixed the problem. While waiting for a response in the hijack log, we were reading more in our Windows XP book and it was talking about removing programs you no longer need from your computer to free up space. So I did just that and after I was finished I tried the websites that were not working and suddenly they worked without the error message. Some of the programs that I removed through "Add/Remove Programs" were games downloaded from egames. I don't know if that was what it was or not but it seemed to work. I hope I don't have any more problems but I want to personally thank you for all the help you have given us. The scans did pick out stuff that should not have been in our computer. If I have any more problems we will definately let you know. I would have posted this to the hijack log post but no one seems to be responding. I wanted to at least let you know that we think the problem is resolved and for now our computer is working smoothly. Thanks a whole bunch. The "slave and master" is a joke that I heard about years ago, we are actually a very loving couple.
slave

#15 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:03:00 AM

Posted 01 July 2007 - 07:32 PM

I would still recommend that you let one of the hijack this team check the log, as you know they are quite busy, and try to help as quick as they can. from the scans that I recommended, i saw quite a load of junque that was removed, I would still like for you to be sure that your computer is completely clean.

BTW my wife refers to me the same way.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users