 |
 |
|
|
|||||||
|
||||||||
03-18-2006, 05:00 AM
|
#1 (permalink) |
|
Bronze Member
 Join Date: Jan 2006
Posts: 27
|
Help Infected with virus
Hi i just dealed with another re-accurance of one of the hoax trojans, involving items like mssearchnet.exe and one simmaler or exact to nvtrl and getting notices of my computer is infected and i cannot delete the file on my task bar that is telling me thos and if i click on it it loads to a anti spyware ect site, it aslo installs SpyFalcon.
Anywho, some how i managed to delete the 2 files i talked about in the beggining of the post, when normally u cant, i got this same virus before this time it workd differently. anywho after the restore through safe mode, i no longer have the problem, but im still infected the spyfalcon is uninstalled and the 2 adaware associated with it are removed with a different scanner. assuming i got rid of all traces of that virus i am now lead with a new one. a Trojan called Win32.Zlob.is as Kaparskie detects it, I do not beleive i have the main file removed because i have scanned 2 different times and still the program found 2 infected system restore files of the same trojan in the same type of directories. I belive i go this trojan from a codec (virus) install, let me explain at a adult site, i tried to preview a sample clip, and it asked for me to download a codec upgrade inorder to view the file, so i did and installed it, then the file played, but soon after closing browsers ect, that was when i got the first virus, my Kaparskie detected possibl threats and trojans, i denyed them all, I could not delete them, but i guess they still got through and installed. So know im all worked up and i assume the trojan program is still in my system but none of the scanners or programs i have used so far have detected anything else, Only Kaparski has detected the infected system restore files with the win32.Zlob Here is example deleted: Trojan program Trojan-Downloader.Win32.Zlob.is File: C:\System Volume Information\_restore{DD01270F-9C47-42EA-8B73-18B9A210307C}\RP251\A0074332.exe/PE_Patch/UPack Any Help guys, Thanks iv had a terribly 2 weeks, overcoming yet 1 of the same viruses and now the zlob and im just not sure if its out of my computer or not, other then that the computer Seems to be running good without any wierd things poping up, Maybe its a bit slowed down more not sure. But i still believe i have a problem, and kaparski might not be detecting the right program to remove. |
|
|
|
03-18-2006, 05:02 AM
|
#2 (permalink) |
|
Bronze Member
Join Date: Jan 2006
Posts: 27
|
Logfile of HijackThis v1.99.1
 Scan saved at 7:46:45 PM, on 3/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\runservice.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Secretmaker\secretmaker.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://beta.msn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\PROGRA~1\MASSDO~1\MDHELPER.DLL O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edg...ex-2.0.4.4.cab O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.jetsetpoker.com/setup.exe O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124664470750 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab34246.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...13/mcfscan.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe |
|
|
|
|
03-18-2006, 06:46 AM
|
#3 (permalink) |
|
Gold Member
 Join Date: Dec 2004
Posts: 361
|
Run this in safe mode:
http://vil.nai.com/vil/stinger/ Have you ran your anti virus spyware in safe mode? |
|
|
|
|
03-18-2006, 04:36 PM
|
#5 (permalink) |
|
Bronze Member
Join Date: Jan 2006
Posts: 27
|
Hi If its the stinger it does not find anything for me, i will try, and no i have not run the anti programs in safemode, I also think it slows them down to, and i just ran a kaparski scan in windows it never found anything. here is a post of Spider scan I never deleted anyfiles
C:\System Volume Information\_restore{DD01270F-9C47-42EA-8B73-18B9A210307C}\RP241\A0071435.dll probably infected with MULDROP.Trojan Classified as a Possible Risk C:\System Volume Information\_restore{DD01270F-9C47-42EA-8B73-18B9A210307C}\RP254\A0074647.exe is hacktool program Tool.Prockill Classified as a Hack tool >>C:\WINDOWS\Downloaded Program Files\SpSubRx.exe probably infected with MULDROP.Trojan Classified as a Possible Risk |
|
|
|
|
03-18-2006, 07:34 PM
|
#8 (permalink) |
|
Gold Member
Join Date: Jun 2005
Posts: 263
|
yeah, the first two virus will be gone with deleting the restore points.
and Update your kaspersky and run it full in safe mode. It should fix your problem
__________________
he who laughs last must have a terrible sense of humor :eek: |
|
|
|
|
03-19-2006, 06:30 PM
|
#9 (permalink) |
|
Bronze Member
Join Date: Jan 2006
Posts: 27
|
Hi i ran Ad=aware SE program, i am wondering about this file it has found it other times to but i dont feel comftorball deleting it. And yes after deleting restore points it got rid of the first 2, the 3rd file is safe.
Name:Windows Category:Vulnerability Object Type:RegData Size:19 Bytes Location:regfile\shell\open\command "" ("regedit.exe" "%1") Last Activity:3-19-2006 Relevance:Low TAC index:3 Comment: Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section. And some i guess non critical stuff it found Negligible objects Is it okay to delete these files as they say its not posing a threat and its up to you to decide?? Just wondering if it effects the programs in anyway, or its just wasting space and i can remove them, thnx Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 1 MRU List Object Recognized! Location: : C:\Documents and Settings\Sid\recent Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\direct3d\mostrecentapplica tion Description : MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\direct3d\mostrecentapplica tion Description : MRU List Object Recognized! Location: : software\microsoft\direct3d\mostrecentapplication Description : MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplicatio n Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\directinput\mostrecentappl ication Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\directinput\mostrecentappl ication Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\internet explorer Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\internet explorer\main Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\internet explorer\typedurls Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\medialibraryui Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\player\setting s Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\microsoft management console\recent file list Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\search assistant\acmru Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\windows\currentversion\exp lorer\comdlg32\lastvisitedmru Description : MRU List Object Recognized! Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general Description : MRU List Object Recognized! Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\windows media\wmsdk\general Description : MRU List Object Recognized! Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\winrar\dialogedithistory\extrpath Description : Last edited by SidneyJ; 03-19-2006 at 06:34 PM. |
|
|
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
