Plz help me with trojan zlob.pornadvertiser.ba

Punk

Moderator
Staff member
Hello, half of the infections found were in the NOD32 quarantined folder.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\confl.dll
C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106350.exe
D:\realhndip\40.txt
F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.
 

mand1

New Member
Hello Punk,

Here are the results of the avenger test

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\confl.dll" deleted successfully.
File "C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106350.exe" deleted successfully.
File "D:\realhndip\40.txt" deleted successfully.

Error: could not open file "F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe"
Deletion of file "F:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP306\A0098875.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.
 

Punk

Moderator
Staff member
Ok let's get a log from Panda online scanners:

Run Panda Online Scan
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop
 

mand1

New Member
Hello Punk,

Panda Antivirus did not ask me for the state , province and e-mail address details. So I just scanned it and there was an option called Export to. On clicking it I got a text file. But I am not able to put the data here as it says that its a long file. I am not even able to attach it for the same reason.

Plz let me know if I can send it to you in any other way
 

Punk

Moderator
Staff member
hii,,
I hav brought a new loptop and just after few weeks mine loptop down with
trojan virus. how can i remove this virus from mine loptop i am very afraid for loptop.. every time i hav this problem .. so kindly suggest me .. idea or tips to remove virus from mine computer..
thanx !!!!

Please start a new thread in the Security Section :)

Mand1

I'm sure you already know but most of your infections are coming from cracked version of softwares/fonts you downloaded illegally. I'm not here to tell what to do or what not to do, but I suggest you stop those illegal downloads as it is what caused the infection.


  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Softwares and files\N70\fonts remover & one sample font.rar
D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Data 4\Vids2new\IP frm\N7\N70\fonts remover & one sample font.rar
C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106364.SYS
D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode[1].MumSMS.v4.16.S60.SymbianOS8.1.Cracked-SyMPDA.zip
D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode.MumSMS.v4.16.S60.SymbianOS8.1.Cracked-SyMPDA.sis

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.



All of the files stated above where infected.

How is your system running now?
 

mand1

New Member
Ohh those were phone softwares that I got from a well known site. so they had virus!

My computer seems to be quite fine. Those low threat infections I had mentioned were there. When I open google links, it used to open some thermicosoft site,now when I try it did not happen-so this issue would have got resolved.

Here are the avenger results

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Softwares and files\N70\fonts remover & one sample font.rar" deleted successfully.
File "D:\Program Files\Folder Lock\Scrambled\ASCII\D1\Data 4\Vids2new\IP frm\N7\N70\fonts remover & one sample font.rar" deleted successfully.
File "C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP320\A0106364.SYS" deleted successfully.
File "D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode[1].MumSMS.v4.16.S60.SymbianOS8.1.Cracked-SyMPDA.zip" deleted successfully.

Error: file "D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode.MumSMS.v4.16. S60.SymbianOS8.1.Cracked-SyMPDA.sis" not found!
Deletion of file "D:\Program Files\Folder Lock\Scrambled\ASCII\D2\Mine\Mumcode.MumSMS.v4.16. S60.SymbianOS8.1.Cracked-SyMPDA.sis" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 

Punk

Moderator
Staff member
Ok let's get a Kapersky result:

Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
 

mand1

New Member
Hi,

Here are the kaspersky results

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 10, 2008 23:27:25
Records in database: 937938
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 43269
Threat name: 4
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:01:29


File name / Threat name / Threats count
C:\Program Files\REALHOUND IP Client\rhsupport.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP324\A0106668.dll Infected: not-a-virus:AdWare.Win32.Delf.l 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Trojan-Proxy.Win32.Agent.arf 1
D:\Program Files\Uniblue\unins000.exe Infected: Trojan-Downloader.Win32.Agent.vuh 1

The selected area was scanned.
 

Punk

Moderator
Staff member
  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
D:\Program Files\Uniblue\unins000.exe
C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP324\A0106668.dll
C:\Program Files\REALHOUND IP Client\rhsupport.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.

After that, please post a fresh Hijackthis log :)
 

mand1

New Member
Back with the results :)

Avenger results:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "D:\Program Files\Uniblue\unins000.exe" deleted successfully.
File "C:\System Volume Information\_restore{50688FD8-8D58-4111-A557-5142B85DC202}\RP324\A0106668.dll" deleted successfully.
File "C:\Program Files\REALHOUND IP Client\rhsupport.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
-------

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:56 PM, on 7/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Eset\nod32kui.exe
D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Console Flash v.4.1 - {BCC8A4AB-C055-461E-B4B5-1B0EA8647897} - C:\WINDOWS\system32\confl.dll (file missing)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: REALHOUND IP Tune and Lube.LNK = C:\Program Files\REALHOUND IP Client\realhoundiptuneandlube.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F78793-C4E9-43AC-B077-EC4B720BB791}: NameServer = 218.248.240.23,218.248.240.135
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

--
End of file - 5300 bytes
 

Punk

Moderator
Staff member
Looks like a clean log to me :)

Although you have the MegaUpload toolbar which I don't recommend you keep. It's harmless but it usually adds adwares along with the installation.

Are you having any problems with your computer?
 

mand1

New Member
Oh finally my computer looks clean wow :)

I had mentioned abt the tracking cookie low threat type(mediaplex, statcounter, and few more like this) that i found in uniblue spyeraser, this is the only thing i see.

Other than that I had spoken about a resolution problem, thats it
 

Punk

Moderator
Staff member
Download and run the free ad-aware from Lavasoft. That should get rid of your tracking cookies.

As for the resolution problem, post a new thread with your problem in the Video Cards and Monitors section of this forum.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.

Please download OTMoveIt2 and save it to desktop.
  • Double-click OTMoveIt2.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Congratulations you are clean! :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.
Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!
 

mand1

New Member
Ok thats great, the system restore and the remaining I think I will do some other time, because right now my computer seems to be realy good. I will post the resolution problem now to see whats happening there.

Punk, thanks a ton for your patience and help. There were so many things I learnt from you and you have helped me so much including some issues which were coming up from many months . Please let me know if there is any option to repute so that I can add to your reputation :)
 

Punk

Moderator
Staff member
Punk, thanks a ton for your patience and help. There were so many things I learnt from you and you have helped me so much including some issues which were coming up from many months . Please let me know if there is any option to repute so that I can add to your reputation :)

We don't have that reputation system but just the fact that your computer is clean is enough to me :)

I'm always glad to help :)

if you have any problems don't hesitate, we're all here to help :)
 
Top