Help Infected with virus

S

SidneyJ

New Member
Hi i just dealed with another re-accurance of one of the hoax trojans, involving items like mssearchnet.exe and one simmaler or exact to nvtrl and getting notices of my computer is infected and i cannot delete the file on my task bar that is telling me thos and if i click on it it loads to a anti spyware ect site, it aslo installs SpyFalcon.

Anywho, some how i managed to delete the 2 files i talked about in the beggining of the post, when normally u cant, i got this same virus before this time it workd differently. anywho after the restore through safe mode, i no longer have the problem, but im still infected the spyfalcon is uninstalled and the 2 adaware associated with it are removed with a different scanner.

assuming i got rid of all traces of that virus i am now lead with a new one.

a Trojan called Win32.Zlob.is as Kaparskie detects it, I do not beleive i have the main file removed because i have scanned 2 different times and still the program found 2 infected system restore files of the same trojan in the same type of directories.

I belive i go this trojan from a codec (virus) install, let me explain at a adult site, i tried to preview a sample clip, and it asked for me to download a codec upgrade inorder to view the file, so i did and installed it, then the file played, but soon after closing browsers ect, that was when i got the first virus, my Kaparskie detected possibl threats and trojans, i denyed them all, I could not delete them, but i guess they still got through and installed.

So know im all worked up and i assume the trojan program is still in my system but none of the scanners or programs i have used so far have detected anything else, Only Kaparski has detected the infected system restore files with the win32.Zlob Here is example deleted: Trojan program Trojan-Downloader.Win32.Zlob.is File: C:\System Volume Information\_restore{DD01270F-9C47-42EA-8B73-18B9A210307C}\RP251\A0074332.exe/PE_Patch/UPack

Any Help guys, Thanks iv had a terribly 2 weeks, overcoming yet 1 of the same viruses and now the zlob and im just not sure if its out of my computer or not, other then that the computer Seems to be running good without any wierd things poping up, Maybe its a bit slowed down more not sure. But i still believe i have a problem, and kaparski might not be detecting the right program to remove.
 
Logfile of HijackThis v1.99.1 :confused:
Scan saved at 7:46:45 PM, on 3/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\runservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://beta.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\PROGRA~1\MASSDO~1\MDHELPER.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.4.4.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.jetsetpoker.com/setup.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124664470750
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4713/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
 
Your log looks clean, turn off system restore and then reboot into safe mode and run kaspersky and fix what it finds and you should be alright.
 
Hi If its the stinger it does not find anything for me, i will try, and no i have not run the anti programs in safemode, I also think it slows them down to, and i just ran a kaparski scan in windows it never found anything. here is a post of Spider scan I never deleted anyfiles

C:\System Volume Information\_restore{DD01270F-9C47-42EA-8B73-18B9A210307C}\RP241\A0071435.dll probably infected with MULDROP.Trojan Classified as a Possible Risk


C:\System Volume Information\_restore{DD01270F-9C47-42EA-8B73-18B9A210307C}\RP254\A0074647.exe is hacktool program Tool.Prockill Classified as a Hack tool

>>C:\WINDOWS\Downloaded Program Files\SpSubRx.exe probably infected with MULDROP.Trojan Classified as a Possible Risk
 
Are you talking about getting rid of the first 2 infected files that spider found?? I will take out restore and then scan in safe mode with kaparski, by spider i mean Dr.Web Scanner
 
yeah, the first two virus will be gone with deleting the restore points.
and Update your kaspersky and run it full in safe mode.
It should fix your problem
 
Hi i ran Ad=aware SE program, i am wondering about this file it has found it other times to but i dont feel comftorball deleting it. And yes after deleting restore points it got rid of the first 2, the 3rd file is safe.

Name:Windows
Category:Vulnerability
Object Type:RegData
Size:19 Bytes
Location:regfile\shell\open\command "" ("regedit.exe" "%1")
Last Activity:3-19-2006
Relevance:Low
TAC index:3
Comment:
Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section.

And some i guess non critical stuff it found Negligible objects
Is it okay to delete these files as they say its not posing a threat and its up to you to decide?? Just wondering if it effects the programs in anyway, or its just wasting space and i can remove them, thnx
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 1



MRU List Object Recognized!
Location: : C:\Documents and Settings\Sid\recent
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\directinput\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\directinput\mostrecentapplication
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\internet explorer
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\internet explorer\main
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\internet explorer\typedurls
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\medialibraryui
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\player\settings
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\mediaplayer\preferences
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\microsoft management console\recent file list
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\search assistant\acmru
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description :


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\microsoft\windows media\wmsdk\general
Description :


MRU List Object Recognized!
Location: : S-1-5-21-1960408961-1897051121-839522115-1004\software\winrar\dialogedithistory\extrpath
Description :
 
Last edited:
You must log in or register to reply here.
Back
Top