1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Win32:Zlob-BN & Win32:Trojano-CL

Discussion in 'Virus & Other Malware Removal' started by clickclick, May 19, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. clickclick

    clickclick Thread Starter

    Joined:
    May 19, 2006
    Messages:
    4
    Hi,
    After having downloaded, what was supposed to be a codec for Windows Media Player, I
    started to get warnings from Avast!
    There's a partial log from Avast:

    18-05-2006 13:49:03 SYSTEM 1124 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ld4393.tmp\[Upack]" file.
    18-05-2006 17:30:40 SYSTEM 1124 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ld288D.tmp\[UPX]" file.
    18-05-2006 22:55:47 SYSTEM 1124 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ldCD54.tmp\[Upack]" file.
    18-05-2006 22:55:59 SYSTEM 1124 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ld220.tmp\[UPX]" file.
    18-05-2006 23:21:05 SYSTEM 1124 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ldFBB7.tmp\[Upack]" file.
    18-05-2006 23:21:11 SYSTEM 1124 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ld127B.tmp\[UPX]" file.
    18-05-2006 23:46:17 SYSTEM 1124 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ldED2.tmp\[Upack]" file.
    18-05-2006 23:46:23 SYSTEM 1124 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ld2529.tmp\[UPX]" file.
    19-05-2006 10:43:33 SYSTEM 1712 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ldBC0F.tmp\[Upack]" file.
    19-05-2006 10:43:38 SYSTEM 1712 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ldD024.tmp\[UPX]" file.
    19-05-2006 11:08:51 SYSTEM 1712 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ldE3DB.tmp\[Upack]" file.
    19-05-2006 11:46:17 SYSTEM 1712 Sign of "Win32:Zlob-BM [Trj]" has been found in "C:\WINDOWS\System32\atmclk.exe\[Upack]" file.
    19-05-2006 11:46:24 SYSTEM 1712 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ld2BFA.tmp\[UPX]" file.
    19-05-2006 12:11:32 SYSTEM 1712 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ld48BA.tmp\[Upack]" file.
    19-05-2006 12:11:41 SYSTEM 1712 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ld6A0D.tmp\[UPX]" file.
    19-05-2006 12:36:46 SYSTEM 1712 Sign of "Win32:Zlob-BN [Trj]" has been found in "C:\WINDOWS\System32\1024\ld61EF.tmp\[Upack]" file.
    19-05-2006 13:26:13 SYSTEM 1712 Sign of "Win32:Trojano-CL [Trj]" has been found in "C:\WINDOWS\System32\1024\ldAA38.tmp\[UPX]" file.

    I tryed to use Avast to get rid of them Trojans but was clearly unsuccessful.

    There's the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 13:43:12, on 19-05-2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\TCAUDIAG.exe
    C:\WINDOWS\Anvshell.exe
    C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\WINDOWS\System32\vmnat.exe
    C:\WINDOWS\System32\vmnetdhcp.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\program files\voipbuster.com\voipbuster\voipbuster.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Printsaver\Printsaverdemo.exe
    C:\WINDOWS\System32\mdm.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clix.pt/index2.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
    O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [VoipBuster] "C:\program files\voipbuster.com\voipbuster\voipbuster.exe" -nosplash -minimized
    O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Printsaver (screen copy and print software).LNK = C:\Program Files\Printsaver\Printsaverdemo.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
    O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe

    Please help!

    There's another problem which, I think, is unrelated to this situation. I am currently using Mozilla Firefox because Internet Explorer started to permanently issue Run time Errors such as "Line: 261 Error: Expected";" Do you wish to Debug Yes/No"
    What can I do?

    Thanks in advance!
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. clickclick

    clickclick Thread Starter

    Joined:
    May 19, 2006
    Messages:
    4
    Hi khazars,

    Thank you for your help.
    I proceeded as you suggested. Here is the contents of rapport.txt created by smitfraudfix.

    SmitFraudFix v2.45

    Scan done at 20:05:54,15, 19-05-2006
    Run from C:\Documents and Settings\Paulo\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\regperf.exe FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Paulo\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Paulo\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. twistdtransistor

    twistdtransistor

    Joined:
    May 21, 2006
    Messages:
    1
    I have the same problem as mentioned above. I followed the instructions given the other user, and this is the info i have:

    SmitFraudFix v2.45

    Scan done at 21:16:40.69, Sun 05/21/2006
    Run from D:\Documents and Settings\Tim\My Documents\My Downloads\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» D:\


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32

    D:\WINDOWS\system32\ld????.tmp FOUND !
    D:\WINDOWS\system32\ot.ico FOUND !
    D:\WINDOWS\system32\regperf.exe FOUND !
    D:\WINDOWS\system32\stdole3.tlb FOUND !
    D:\WINDOWS\system32\ts.ico FOUND !
    D:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» D:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Tim\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\Tim\FAVORI~1

    D:\DOCUME~1\Tim\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files

    D:\Program Files\Security Toolbar\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  5. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    Twisted T can you start your own thread.

    You do have smitfraud so run the second part to clean it off. It's best you start your own thread as dealing with two posters at the same time can cause confusion and you can get overlooked!



    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.
     
  6. clickclick

    clickclick Thread Starter

    Joined:
    May 19, 2006
    Messages:
    4
    Hi Khazars,

    Thank you once again for you help.
    I have just run smitfraufix's option #2 in safe mode and there's the result!

    SmitFraudFix v2.45

    Scan done at 17:06:11,81, 22-05-2006
    Run from C:\Documents and Settings\Paulo\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\ld????.tmp Deleted
    C:\WINDOWS\system32\regperf.exe Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\1024\ Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» End


    And now? Is it done?

    Hope to listening from you soon.

    clickclick aka Paulo (from Portugal)
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    * Download the trial version of Ewido Security Suite here

    http://www.ewido.net/en/

    * Install ewido.
    * During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.




    * Click here to download ATF Cleaner by Atribune and save it to your desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O18 - Protocol: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} - ielpview.dll (file missing)
    O18 - Protocol: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} - VFSProtocol.dll (file missing)



    * Run Ewido:

    * Click on scanner
    * Click Complete System Scan and the scan will begin.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop


    reboot to normal mode and run a few online scans!



    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!


    post another hijack this log, the ewido and active scan logs
     
  8. clickclick

    clickclick Thread Starter

    Joined:
    May 19, 2006
    Messages:
    4
    OK. Two problems here.
    The first one: After the first 2 steps I was unable to reboot in safe mode! Tried twice and it eventually rebooted in normal mode (while I was having dinner). I had HiJackThis fixing the above mentioned entries in normal mode instead. After this, I was able to reboot in safe mode . Run HiJackThis once again and the entries were not there, so I moved on to next step.
    After running ewido, where about 250 infections were removed, I rebooted to normal mode and tried to run ActiveScan.
    Now the second problem: First I had to use Internet Explorer because Mozilla Firefox is apparently unsupported. Odd! Then I had to download some ActiveX controls and Avast is trying to warn me that this is a Virus and that I should abort the connection!

    What am i supposed to do? If this is to be ignored shoudn't you mention it on your rather detailed replies?

    Please help because I am stuck half way through the download from Panda!
    I am also sending you the ewido report:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 0:27:33, 23-05-2006
    + Report-Checksum: 8E4622FA

    + Scan result:

    HKLM\SOFTWARE\AKSoft -> Adware.AkSoft : Cleaned with backup
    HKLM\SOFTWARE\AKSoft\X-Tractor -> Adware.AkSoft : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.247realmedia : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Dbbsrv : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Estat : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Gator : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Hotlog : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Itrack : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Paycounter : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Wegcash : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Qksrv : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Spylog : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Onestat : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Tfag : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Mainentrypoint : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Realtracker : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Realtracker : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Weborama : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Smartadserver : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][2].txt -> TrackingCookie.Yadro : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned with backup
    C:\Documents and Settings\Paulo\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\pneves\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup


    ::Report End
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/468510

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice