Wondering if it got all of it

[Rick77]

First of all I gotta say this program is amazing. A friend of one of my co-workers (who's not very computer savy) was having computer issues so I said I'd look at it since I like this stuff hehe. His desktop icons kept disappearing after about 5 to 10 seconds and then would re-appear and a warning kept popping up in lower right about being infected - it was the zlob trojan causing a false antivirus program and ads to keep popping up - I think the program was called antispyware - I did a search on google and found a site that said this program could fix it and smitfraud could fix it. I ran both and noticed this program found several entries including some vundo as well. After cleaning and rebooting the computer seems to be fine. I ran hijackthis before and after and saved the logs just in case. I'm not sure if he's all clean but seems to be. I ran this program again after rebooting and it said no infections found. I also ran a few other programs and they didn't find it either. I was wondering if it's all gone or not. Does this program really remove all of the infection for both zlob and vundo or do we still need to delete some files or registry entries? Here is the entry I noticed that was in the before log that's not in the after log:

O22 - SharedTaskScheduler: hypoch - {2f199d0e-f3e7-41a7-a060-816c24cceea0} - C:\WINDOWS\system32\zgyhw.dll

Here's the new hijackthis log, does it look clean? Are there things that need removing that you can't see here? TIA

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:26:18, on 9/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\system32\VTTimer.exe

C:\Program Files\AT&T\Internet Security Wizard\ISW.exe

C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\AT&T\Internet Security Wizard\ISWComHandler.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\AT&T\AT&T Internet Security Suite\pkR.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [iSW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN

O4 - HKLM\..\Run: [AT&T Internet Security Suite] "C:\Program Files\AT&T\AT&T Internet Security Suite\Rps.exe"

O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: AT&T Internet Security Suite Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe

O23 - Service: AT&T Internet Security Suite AT&T Firewall (RP_FWS) - AT&T - C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe

--

End of file - 4605 bytes

[JeanInMontana]

First can you show us a EULA for the tool bar showing C:\Program Files\AskSBar\SrchAstt was it installed on purpose?

Second, yes MBAM usually gets all malware and traces. MBAM does component linking and will often get all infection components both file and registry

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) <======== That should be removed to clean up.

I would like to see a MBAM log after update and a new HJT. We don't make a habit of doing 3rd party fixes so if your friend's friend would join and deal with this it would be for the best.

[Rick77]

First can you show us a EULA for the tool bar showing C:\Program Files\AskSBar\SrchAstt was it installed on purpose?

Second, yes MBAM usually gets all malware and traces. MBAM does component linking and will often get all infection components both file and registry

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) <======== That should be removed to clean up.

I would like to see a MBAM log after update and a new HJT. We don't make a habit of doing 3rd party fixes so if your friend's friend would join and deal with this it would be for the best.

Thanks for the quick reply and pointers. I'll tell him it would be best to join the forum. He's very intimidated by computers though. I'll explain to him that you don't have to be a geek to follow your instructions in here - that may help

[JeanInMontana]

So, does this mean your not going to do anything and I should close the thread?

[AdvancedSetup]

Due to no response I will close this topic. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you

Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting

Pre- HJT Post Instructions

Also don't forget that we offer

FREE

assistance with General PC questions and repair here

PC Help

If you're pleased with the product

Malwarebytes

and the service provided you, please let your friends, family, and co-workers know.

http://www.malwarebytes.org

.