Jump to content

Bootloop


BWP

Recommended Posts

Hi, I do hope you can help.

In an attempt permanately remove Trojan.Downloader, I ran ESET on-line before the next step. The next attempt at a re-start failed as the Thread http://www.malwarebytes.org/forums/index.php?showtopic=7605 explains. Please, please can you help me. I'm runing XP with SP3. I'm borrowing the use of this laptop to communicate. Many thanks.

Link to post
Share on other sites

OK, insert your Windows XP CD and restart your computer.

1) When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD.

2) Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.

3) Do not choose the option to press R to use the Recovery Console.

4) In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.

5) Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.

6) Follow the instructions on the screen to complete Setup.

With a repair install, all files and folders you had will still be there and available for you...your Windows installation will be overwritten so it is important to visit Windows Update immediately afterward. Post back your results. Thanks!

Link to post
Share on other sites

OK, insert your Windows XP CD and restart your computer.

1) When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD.

2) Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.

3) Do not choose the option to press R to use the Recovery Console.

4) In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.

5) Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.

6) Follow the instructions on the screen to complete Setup.

With a repair install, all files and folders you had will still be there and available for you...your Windows installation will be overwritten so it is important to visit Windows Update immediately afterward. Post back your results. Thanks!

After F8 I select C: (I have 2 HDDs), Win XP Pro then says "the partition is either too full, damaged........." and only gives options to Format. There is actually lots of free space on it.

If it helps, the PC came with an oem version and during one of many updates it needed my licence info which I coudn't find. So I had to purchase it online from M'soft with a new licence number etc. (It's currently up to date with SP3). This was, I think, last year but my XP Pro disk is the original which is several years old.

What do you think could have happened after I ran ESET?

Link to post
Share on other sites

Can you get the desktop to boot up at all...either in normal mode, safe mode, last known good configuration that worked, safe mode with networking...?

Only bootable configuration is via CD as described. No other options available apart from having access to BIOS, which is how I managed to change boot order.

Link to post
Share on other sites

Run a disk check from the Recovery Console...

  • Insert your Windows XP CD into your computer's CD-ROM drive and restart your computer.
  • At the Windows Setup screen, press R to enter the Recovery Console.
  • You will enter the Recovery Console and be asked to choose which Windows installation you would like to log into. Most users will only have one choice.
  • You will be prompted to enter the administrator password. This is the password set for the user profile "Administrator". You may have set this password when you first configured your computer. If no password was set up, then just press ENTER.
  • You will be presented with a C: prompt. Type or copy and paste: chkdsk /r and press ENTER.
  • Checkdisk will now run. The scan may run for several hours...it depends on the size of the disk and volume of data.
  • When the scan is complete, a report will be displayed. At this point, you need only to type Exit at the command prompt and press "Enter"

Remember to eject your Windows XP CD or else you'll get the installation menu again on your next reboot.

* NOTE: If you are unable to access the recovery console, your CD may be damaged, or the problem could be more severe and require professional system recovery.

If all went well, return to the BIOS screen and change your boot sequence back to what it was previously.

Post back your results. Thanks!

Link to post
Share on other sites

Run a disk check from the Recovery Console...
  • Insert your Windows XP CD into your computer's CD-ROM drive and restart your computer.

  • At the Windows Setup screen, press R to enter the Recovery Console.

  • You will enter the Recovery Console and be asked to choose which Windows installation you would like to log into. Most users will only have one choice.

  • You will be prompted to enter the administrator password. This is the password set for the user profile "Administrator". You may have set this password when you first configured your computer. If no password was set up, then just press ENTER.

  • You will be presented with a C: prompt. Type or copy and paste: chkdsk /r and press ENTER.

  • Checkdisk will now run. The scan may run for several hours...it depends on the size of the disk and volume of data.

  • When the scan is complete, a report will be displayed. At this point, you need only to type Exit at the command prompt and press "Enter"

Remember to eject your Windows XP CD or else you'll get the installation menu again on your next reboot.

* NOTE: If you are unable to access the recovery console, your CD may be damaged, or the problem could be more severe and require professional system recovery.

If all went well, return to the BIOS screen and change your boot sequence back to what it was previously.

Post back your results. Thanks!

Well, I hardly know how to thank you. I'm writing this on my PC which is clearly working again with everything seemingly intact. However, here's my MBAM-LOG which shows the Trojan.Downloader is back. How can I get rid of this thing? I've decided not to reboot for the moment, just in case of problems again.

I stopped the scan as soon as it found it. The last few scans only find this one infection which is in the same place each time.

Malwarebytes' Anti-Malware 1.30

Database version: 1419

Windows 5.1.2600 Service Pack 3

23/11/2008 23:52:57

mbam-log-2008-11-23 (23-52-57).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 24722

Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{49C178D9-603B-4F06-9182-AB6A2D2686D0}\RP763\A0155679.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Well, I hardly know how to thank you. I'm writing this on my PC which is clearly working again with everything seemingly intact. However, here's my MBAM-LOG which shows the Trojan.Downloader is back. How can I get rid of this thing? I've decided not to reboot for the moment, just in case of problems again.

I stopped the scan as soon as it found it. The last few scans only find this one infection which is in the same place each time.

You're welcome indeed...all of us here are just very glad to be able to help.

The Trojan.Downloader isn't back. The scan is finding the infected file in your system restore point which doesn't indicate an active infection. Your system's restore points are just snapshots of your system as it was at some time in the past.

If you've ever researched a virus issue via some antivirus vendor, you might have found an instruction included to "disable system restore" as a part of their recommended fix. They ALL seem to include that instruction but I doubt you will ever find any one of us who work these various forums to suggest it as the philosophy is that even an infected restore point is better than NO restore point.

Of course, they also include the fact that after their recommended fix, to re-enable system restore, but...things can and have gone wrong in times past with users misunderstanding something about the instruction or so, and end up with a non-working system. On occasion when that happens, one escape method is to have the user restore the system using the recovery console to select a restore point prior to the date of the fix...but, when no restore point is there, the fix then becomes useless dribble.

You can allow the scan to complete and instruct mbam to remove the file.

Upon reboot, run mbam again and post back THAT log. Thanks!

Link to post
Share on other sites

You're welcome indeed...all of us here are just very glad to be able to help.

The Trojan.Downloader isn't back. The scan is finding the infected file in your system restore point which doesn't indicate an active infection. Your system's restore points are just snapshots of your system as it was at some time in the past.

If you've ever researched a virus issue via some antivirus vendor, you might have found an instruction included to "disable system restore" as a part of their recommended fix. They ALL seem to include that instruction but I doubt you will ever find any one of us who work these various forums to suggest it as the philosophy is that even an infected restore point is better than NO restore point.

Of course, they also include the fact that after their recommended fix, to re-enable system restore, but...things can and have gone wrong in times past with users misunderstanding something about the instruction or so, and end up with a non-working system. On occasion when that happens, one escape method is to have the user restore the system using the recovery console to select a restore point prior to the date of the fix...but, when no restore point is there, the fix then becomes useless dribble.

You can allow the scan to complete and instruct mbam to remove the file.

Upon reboot, run mbam again and post back THAT log. Thanks!

After I last replied I noticed Troan.Downloader was showing in the Task Manager, I selected "End Task".

I've since read your reply and restarted. It appears in the scan again but not in the Task Manager. Thank you all again for your support and patience, is there a way I can make a donation, I'm in your debt.

Malwarebytes' Anti-Malware 1.30

Database version: 1419

Windows 5.1.2600 Service Pack 3

24/11/2008 07:47:06

mbam-log-2008-11-24 (07-47-06).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 23864

Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{49C178D9-603B-4F06-9182-AB6A2D2686D0}\RP764\A0155708.sys (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

is there a way I can make a donation, I'm in your debt.

You don't owe me a thing...but if you are considering a donation, why not purchase a licensed copy of mbam. With the license, you can take advantage of the real time protection (which would prevent infections) and other automated features not available in the free version.

May we see a fresh HijackThis log now please? Thanks!

Link to post
Share on other sites

You don't owe me a thing...but if you are considering a donation, why not purchase a licensed copy of mbam. With the license, you can take advantage of the real time protection (which would prevent infections) and other automated features not available in the free version.

May we see a fresh HijackThis log now please? Thanks!

I'll certainly do that.

I finally removed it from Restore by deleting the Restore points. Here's the log afterwards -

Malwarebytes' Anti-Malware 1.30

Database version: 1423

Windows 5.1.2600 Service Pack 3

25/11/2008 23:22:34

mbam-log-2008-11-25 (23-22-34).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 256541

Time elapsed: 1 hour(s), 21 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

May we see a fresh HijackThis log now please? Thanks!

Hi

I don't have HighjackThis on my PC. A local professioal polished off our work by finding 2 more infections. He did this by connecting my HDD to his machine and scanning it. My PC is now much faster and working fine. I'm very nervous about downloading after my recent experience. However, I have complete confidence in you so if you tell me where to get it from and which version, I'll do it.

Link to post
Share on other sites

Click HERE to download HijackThis.

Click the Download button then select the link to Download HijackThis Installer.

Double click on the HJTInstall.exe then click "Install". It will be installed by default here:

C:\Program Files\Trend Micro\HijackThis

...and A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double click the icon that was placed on the Desktop to run subsequent hijackthis scans or you can use the icon inside the folder.

The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click Do a system scan and save a logfile. Copy and paste the contents of that log in your next reply. Thanks!

Link to post
Share on other sites

Click HERE to download HijackThis.

Click the Download button then select the link to Download HijackThis Installer.

Double click on the HJTInstall.exe then click "Install". It will be installed by default here:

C:\Program Files\Trend Micro\HijackThis

...and A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double click the icon that was placed on the Desktop to run subsequent hijackthis scans or you can use the icon inside the folder.

The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click Do a system scan and save a logfile. Copy and paste the contents of that log in your next reply. Thanks!

Hi,

My log HJT -

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:21:29, on 28/11/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\Mixer.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

C:\Program Files\Hercules\Video\Hercules 3DTweaker 3.0 LE\H3dTweaker.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Hercules\Video\Hercules 3DTweaker 3.0 LE\D3D3DTwkAnim.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdcyd.exe] C:\WINDOWS\system32\kdcyd.exe

O4 - HKLM\..\Run: [Hercules 3DTweaker 3.0] C:\Program Files\Hercules\Video\Hercules 3DTweaker 3.0 LE\H3dTweaker.exe -hide

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\..\{CC1CDB36-9B5C-42B7-B236-AC6F32214786}: NameServer = 4.2.2.2,4.2.2.3

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 13025 bytes

Link to post
Share on other sites

OK...your log on 11/25 showed no infections but what threw me a curve is when you said on the 26th:

A local professioal polished off our work by finding 2 more infections. He did this by connecting my HDD to his machine and scanning it. My PC is now much faster and working fine...

...because this log shows us that you now have a problem with the "zlob" trojan. What 2 infections did your local professional remove?

I'd like to point out that while you appear to have a pretty good security setup, it's not complete without a third party firewall...which by the way, may have prevented this latest trojan intrusion. There also is some doubt that you need to have the volume of security layers that you do have. For instance, the "Internet Cleanup" bho you installed from "Aladdin Systems" alleges to provide protection from such intrusions but we see that it failed to protect your system this time around. This may also cause some conflict with "Tea Timer".

The Spyware Doctor, Spybot's Tea Timer along with Symantec's Antivirus are fine but none of these will prevent web based intrusions...that's why I suggest the third party firewall.

For now however, we need to have you run a manual update of your on board mbam application and run another "quick" scan but before you do...please be sure to disable the active protection afforded from Spybot's Tea Timer Registry protection and the Spyware Doctor's real time protection.

To disable Spyware Doctor:

  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings.
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor

...and to disable Tea Timer:

  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts
  • Restart your computer.

Once your log is clean you can re-enable Spyware Doctor and Tea Timer but please...not before.

Once you have disabled these, please update mbam and run the quick scan.

Next, your Java application is out of date and causes a slight security risk as a result.

Please follow these steps to remove older version Java components:

  • Close any open programs you may have running, especially your web browser.
  • Click Start-->Control Panel-->Add or Remove Programs.
  • Click once on any item having Java Runtime Environment in it's name then click the "Remove" button.

Not every version of Java will begin with "Java" so be sure to read each entry in the list.

Repeat the third step above as many times as necessary to remove all versions of Java.

***NOTE***

If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

  • Navigate to and delete: C:\Program Files\Java<--the Java folder indicated in Bold Red Text (if found)
  • Then go to this page.
    Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" (first download link) and click the "Download" button to the right. Select the platform for "Windows".
  • Check the box that says: "I agree to the Java SE Runtime Environment # License Agreement", then click Continue...The page will refresh

Then, click on the link to download Windows Offline Installation. Save it to your desktop.

Now, from your desktop, double-click on the executable to install the newest version.

Please select and install one of these free Firewall applications:

ZoneAlarm Free Version

Outpost Free

Kerio

Comodo

When the installation completes successfully, reboot the computer.

Please post back the latest mbam log. Thanks!

Link to post
Share on other sites

OK...your log on 11/25 showed no infections but what threw me a curve is when you said on the 26th:

...because this log shows us that you now have a problem with the "zlob" trojan. What 2 infections did your local professional remove?

I'd like to point out that while you appear to have a pretty good security setup, it's not complete without a third party firewall...which by the way, may have prevented this latest trojan intrusion. There also is some doubt that you need to have the volume of security layers that you do have. For instance, the "Internet Cleanup" bho you installed from "Aladdin Systems" alleges to provide protection from such intrusions but we see that it failed to protect your system this time around. This may also cause some conflict with "Tea Timer".

The Spyware Doctor, Spybot's Tea Timer along with Symantec's Antivirus are fine but none of these will prevent web based intrusions...that's why I suggest the third party firewall.

For now however, we need to have you run a manual update of your on board mbam application and run another "quick" scan but before you do...please be sure to disable the active protection afforded from Spybot's Tea Timer Registry protection and the Spyware Doctor's real time protection.

To disable Spyware Doctor:

  • Click the Spyware Doctor icon in the System Tray.

  • Click Settings.

  • Click Startup Settings under Pick a Category.

  • Uncheck Run at Windows startup.

  • Click Apply and Exit Spyware Doctor

...and to disable Tea Timer:

  • Run Spybot-S&D

  • Go to the Mode menu, and make sure "Advanced Mode" is selected

  • On the left hand side, choose Tools -> Resident

  • Uncheck "Resident TeaTimer" and OK any prompts

  • Restart your computer.

Once your log is clean you can re-enable Spyware Doctor and Tea Timer but please...not before.

Once you have disabled these, please update mbam and run the quick scan.

Next, your Java application is out of date and causes a slight security risk as a result.

Please follow these steps to remove older version Java components:

  • Close any open programs you may have running, especially your web browser.

  • Click Start-->Control Panel-->Add or Remove Programs.

  • Click once on any item having Java Runtime Environment in it's name then click the "Remove" button.

Not every version of Java will begin with "Java" so be sure to read each entry in the list.

Repeat the third step above as many times as necessary to remove all versions of Java.

***NOTE***

If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

  • Navigate to and delete: C:\Program Files\Java<--the Java folder indicated in Bold Red Text (if found)

  • Then go to this page.

    Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" (first download link) and click the "Download" button to the right. Select the platform for "Windows".

  • Check the box that says: "I agree to the Java SE Runtime Environment # License Agreement", then click Continue...The page will refresh

Then, click on the link to download Windows Offline Installation. Save it to your desktop.

Now, from your desktop, double-click on the executable to install the newest version.

Please select and install one of these free Firewall applications:

ZoneAlarm Free Version

Outpost Free

Kerio

Comodo

When the installation completes successfully, reboot the computer.

Please post back the latest mbam log. Thanks!

Hi,

I use Internet Cleanup only at the end of an Internet session to remove Zulu Top Text which seems to be installed by numerous companies and banks and to which I object. No other software appears to detect or remove it. Then I always run CCleaner.

You mention Symantic but I remoevd this some time ago in favour of PC Tools AntiVirus. I frequently run SpyBot, Ad-Aware and of course mbam.

I removed all the Java software (lots of updates etc) and re-installed a fresh copy as instructed.

I became a bit nervous of the Firewall software. ZoneAlarm reported "unable to find packet or patch" and Outpost promised an email ha d been sent allowing me to download it but that was several hours ago. I'm running the Win XP and PC Tools Firewalls, are these not enough?

My PC is so much faster now. Again thanks for all your help, here's my mbam log -

Malwarebytes' Anti-Malware 1.30

Database version: 1440

Windows 5.1.2600 Service Pack 3

01/12/2008 18:54:46

mbam-log-2008-12-01 (18-54-46).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 253416

Time elapsed: 1 hour(s), 20 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I use Internet Cleanup only at the end of an Internet session to remove Zulu Top Text which seems to be installed by numerous companies and banks and to which I object. No other software appears to detect or remove it. Then I always run CCleaner.

You mention Symantic but I remoevd this some time ago in favour of PC Tools AntiVirus. I frequently run SpyBot, Ad-Aware and of course mbam.

I removed all the Java software (lots of updates etc) and re-installed a fresh copy as instructed.

I became a bit nervous of the Firewall software. ZoneAlarm reported "unable to find packet or patch" and Outpost promised an email ha d been sent allowing me to download it but that was several hours ago. I'm running the Win XP and PC Tools Firewalls, are these not enough?

My PC is so much faster now. Again thanks for all your help, here's my mbam log -

Your log shows that you still have Symantec installed and running...the live update service as well as the core antivirus elements for Norton Antivirus 2004.

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

The log doesn't tell us if you keep your software up to date or not...it does however show us that it is installed and running on startup.

I've not heard of "Zulu Top Text" before but glad you've found that the "Internet Cleanup" program removes it (whatever it is).

The program from PC Tools, "Spyware Doctor" is NOT an antivirus program. It's name pretty much says it all...it is an anti-spyware application which does nothing to prevent the installation of a virus of any kind.

This entry below:

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdcyd.exe] C:\WINDOWS\system32\kdcyd.exe

...is from the zlob.DNS Changer infection.

None of the logs you've produced so far, shows any evidence that this infection was removed...and it only appeared in your HijackThis log after your local professional connected your Hard Disk Drive to his machine according to your statement. However, it is remarkable that your system is now "clean and running faster now". Very glad to see you are happy with it's performance.

Link to post
Share on other sites

This issue appears resolved and the thread is closed to prevent others from posting here.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.