BWP Posted November 22, 2008 ID:36011 Share Posted November 22, 2008 Hi, I do hope you can help.In an attempt permanately remove Trojan.Downloader, I ran ESET on-line before the next step. The next attempt at a re-start failed as the Thread http://www.malwarebytes.org/forums/index.php?showtopic=7605 explains. Please, please can you help me. I'm runing XP with SP3. I'm borrowing the use of this laptop to communicate. Many thanks. Link to post Share on other sites More sharing options...
1972vet Posted November 22, 2008 ID:36039 Share Posted November 22, 2008 Does the system boot up at all now? Link to post Share on other sites More sharing options...
BWP Posted November 22, 2008 Author ID:36048 Share Posted November 22, 2008 Does the system boot up at all now?I managed to change the boot drive order so now I can boot to the XP CD installation screen. I haven't gone beyond that in case I make things worse Link to post Share on other sites More sharing options...
1972vet Posted November 22, 2008 ID:36053 Share Posted November 22, 2008 OK, insert your Windows XP CD and restart your computer.1) When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD.2) Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.3) Do not choose the option to press R to use the Recovery Console.4) In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.5) Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.6) Follow the instructions on the screen to complete Setup.With a repair install, all files and folders you had will still be there and available for you...your Windows installation will be overwritten so it is important to visit Windows Update immediately afterward. Post back your results. Thanks! Link to post Share on other sites More sharing options...
BWP Posted November 22, 2008 Author ID:36078 Share Posted November 22, 2008 OK, insert your Windows XP CD and restart your computer.1) When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD.2) Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.3) Do not choose the option to press R to use the Recovery Console.4) In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.5) Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.6) Follow the instructions on the screen to complete Setup.With a repair install, all files and folders you had will still be there and available for you...your Windows installation will be overwritten so it is important to visit Windows Update immediately afterward. Post back your results. Thanks!After F8 I select C: (I have 2 HDDs), Win XP Pro then says "the partition is either too full, damaged........." and only gives options to Format. There is actually lots of free space on it.If it helps, the PC came with an oem version and during one of many updates it needed my licence info which I coudn't find. So I had to purchase it online from M'soft with a new licence number etc. (It's currently up to date with SP3). This was, I think, last year but my XP Pro disk is the original which is several years old.What do you think could have happened after I ran ESET? Link to post Share on other sites More sharing options...
1972vet Posted November 23, 2008 ID:36129 Share Posted November 23, 2008 Can you get the desktop to boot up at all...either in normal mode, safe mode, last known good configuration that worked, safe mode with networking...? Link to post Share on other sites More sharing options...
BWP Posted November 23, 2008 Author ID:36133 Share Posted November 23, 2008 Can you get the desktop to boot up at all...either in normal mode, safe mode, last known good configuration that worked, safe mode with networking...?Only bootable configuration is via CD as described. No other options available apart from having access to BIOS, which is how I managed to change boot order. Link to post Share on other sites More sharing options...
1972vet Posted November 23, 2008 ID:36138 Share Posted November 23, 2008 Run a disk check from the Recovery Console... Insert your Windows XP CD into your computer's CD-ROM drive and restart your computer. At the Windows Setup screen, press R to enter the Recovery Console. You will enter the Recovery Console and be asked to choose which Windows installation you would like to log into. Most users will only have one choice. You will be prompted to enter the administrator password. This is the password set for the user profile "Administrator". You may have set this password when you first configured your computer. If no password was set up, then just press ENTER. You will be presented with a C: prompt. Type or copy and paste: chkdsk /r and press ENTER. Checkdisk will now run. The scan may run for several hours...it depends on the size of the disk and volume of data. When the scan is complete, a report will be displayed. At this point, you need only to type Exit at the command prompt and press "Enter" Remember to eject your Windows XP CD or else you'll get the installation menu again on your next reboot. * NOTE: If you are unable to access the recovery console, your CD may be damaged, or the problem could be more severe and require professional system recovery.If all went well, return to the BIOS screen and change your boot sequence back to what it was previously.Post back your results. Thanks! Link to post Share on other sites More sharing options...
BWP Posted November 24, 2008 Author ID:36196 Share Posted November 24, 2008 Run a disk check from the Recovery Console... Insert your Windows XP CD into your computer's CD-ROM drive and restart your computer. At the Windows Setup screen, press R to enter the Recovery Console. You will enter the Recovery Console and be asked to choose which Windows installation you would like to log into. Most users will only have one choice. You will be prompted to enter the administrator password. This is the password set for the user profile "Administrator". You may have set this password when you first configured your computer. If no password was set up, then just press ENTER. You will be presented with a C: prompt. Type or copy and paste: chkdsk /r and press ENTER. Checkdisk will now run. The scan may run for several hours...it depends on the size of the disk and volume of data. When the scan is complete, a report will be displayed. At this point, you need only to type Exit at the command prompt and press "Enter" Remember to eject your Windows XP CD or else you'll get the installation menu again on your next reboot. * NOTE: If you are unable to access the recovery console, your CD may be damaged, or the problem could be more severe and require professional system recovery.If all went well, return to the BIOS screen and change your boot sequence back to what it was previously.Post back your results. Thanks!Well, I hardly know how to thank you. I'm writing this on my PC which is clearly working again with everything seemingly intact. However, here's my MBAM-LOG which shows the Trojan.Downloader is back. How can I get rid of this thing? I've decided not to reboot for the moment, just in case of problems again.I stopped the scan as soon as it found it. The last few scans only find this one infection which is in the same place each time.Malwarebytes' Anti-Malware 1.30Database version: 1419Windows 5.1.2600 Service Pack 323/11/2008 23:52:57mbam-log-2008-11-23 (23-52-57).txtScan type: Full Scan (C:\|F:\|)Objects scanned: 24722Time elapsed: 6 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{49C178D9-603B-4F06-9182-AB6A2D2686D0}\RP763\A0155679.sys (Trojan.Downloader) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
1972vet Posted November 24, 2008 ID:36220 Share Posted November 24, 2008 Well, I hardly know how to thank you. I'm writing this on my PC which is clearly working again with everything seemingly intact. However, here's my MBAM-LOG which shows the Trojan.Downloader is back. How can I get rid of this thing? I've decided not to reboot for the moment, just in case of problems again.I stopped the scan as soon as it found it. The last few scans only find this one infection which is in the same place each time.You're welcome indeed...all of us here are just very glad to be able to help.The Trojan.Downloader isn't back. The scan is finding the infected file in your system restore point which doesn't indicate an active infection. Your system's restore points are just snapshots of your system as it was at some time in the past. If you've ever researched a virus issue via some antivirus vendor, you might have found an instruction included to "disable system restore" as a part of their recommended fix. They ALL seem to include that instruction but I doubt you will ever find any one of us who work these various forums to suggest it as the philosophy is that even an infected restore point is better than NO restore point.Of course, they also include the fact that after their recommended fix, to re-enable system restore, but...things can and have gone wrong in times past with users misunderstanding something about the instruction or so, and end up with a non-working system. On occasion when that happens, one escape method is to have the user restore the system using the recovery console to select a restore point prior to the date of the fix...but, when no restore point is there, the fix then becomes useless dribble. You can allow the scan to complete and instruct mbam to remove the file. Upon reboot, run mbam again and post back THAT log. Thanks! Link to post Share on other sites More sharing options...
BWP Posted November 24, 2008 Author ID:36242 Share Posted November 24, 2008 You're welcome indeed...all of us here are just very glad to be able to help.The Trojan.Downloader isn't back. The scan is finding the infected file in your system restore point which doesn't indicate an active infection. Your system's restore points are just snapshots of your system as it was at some time in the past. If you've ever researched a virus issue via some antivirus vendor, you might have found an instruction included to "disable system restore" as a part of their recommended fix. They ALL seem to include that instruction but I doubt you will ever find any one of us who work these various forums to suggest it as the philosophy is that even an infected restore point is better than NO restore point.Of course, they also include the fact that after their recommended fix, to re-enable system restore, but...things can and have gone wrong in times past with users misunderstanding something about the instruction or so, and end up with a non-working system. On occasion when that happens, one escape method is to have the user restore the system using the recovery console to select a restore point prior to the date of the fix...but, when no restore point is there, the fix then becomes useless dribble. You can allow the scan to complete and instruct mbam to remove the file. Upon reboot, run mbam again and post back THAT log. Thanks!After I last replied I noticed Troan.Downloader was showing in the Task Manager, I selected "End Task".I've since read your reply and restarted. It appears in the scan again but not in the Task Manager. Thank you all again for your support and patience, is there a way I can make a donation, I'm in your debt.Malwarebytes' Anti-Malware 1.30Database version: 1419Windows 5.1.2600 Service Pack 324/11/2008 07:47:06mbam-log-2008-11-24 (07-47-06).txtScan type: Full Scan (C:\|F:\|)Objects scanned: 23864Time elapsed: 5 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\System Volume Information\_restore{49C178D9-603B-4F06-9182-AB6A2D2686D0}\RP764\A0155708.sys (Trojan.Downloader) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
1972vet Posted November 24, 2008 ID:36304 Share Posted November 24, 2008 is there a way I can make a donation, I'm in your debt.You don't owe me a thing...but if you are considering a donation, why not purchase a licensed copy of mbam. With the license, you can take advantage of the real time protection (which would prevent infections) and other automated features not available in the free version.May we see a fresh HijackThis log now please? Thanks! Link to post Share on other sites More sharing options...
BWP Posted November 25, 2008 Author ID:36470 Share Posted November 25, 2008 You don't owe me a thing...but if you are considering a donation, why not purchase a licensed copy of mbam. With the license, you can take advantage of the real time protection (which would prevent infections) and other automated features not available in the free version.May we see a fresh HijackThis log now please? Thanks!I'll certainly do that.I finally removed it from Restore by deleting the Restore points. Here's the log afterwards - Malwarebytes' Anti-Malware 1.30Database version: 1423Windows 5.1.2600 Service Pack 325/11/2008 23:22:34mbam-log-2008-11-25 (23-22-34).txtScan type: Full Scan (C:\|F:\|)Objects scanned: 256541Time elapsed: 1 hour(s), 21 minute(s), 55 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
1972vet Posted November 26, 2008 ID:36480 Share Posted November 26, 2008 May we see a fresh HijackThis log now please? Thanks! Link to post Share on other sites More sharing options...
BWP Posted November 26, 2008 Author ID:36566 Share Posted November 26, 2008 May we see a fresh HijackThis log now please? Thanks!HiI don't have HighjackThis on my PC. A local professioal polished off our work by finding 2 more infections. He did this by connecting my HDD to his machine and scanning it. My PC is now much faster and working fine. I'm very nervous about downloading after my recent experience. However, I have complete confidence in you so if you tell me where to get it from and which version, I'll do it. Link to post Share on other sites More sharing options...
1972vet Posted November 27, 2008 ID:36591 Share Posted November 27, 2008 Click HERE to download HijackThis.Click the Download button then select the link to Download HijackThis Installer.Double click on the HJTInstall.exe then click "Install". It will be installed by default here:C:\Program Files\Trend Micro\HijackThis...and A shortcut to the application will also be placed on your Desktop.The program will open automatically after installation.You can double click the icon that was placed on the Desktop to run subsequent hijackthis scans or you can use the icon inside the folder.The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.Click Do a system scan and save a logfile. Copy and paste the contents of that log in your next reply. Thanks! Link to post Share on other sites More sharing options...
BWP Posted November 28, 2008 Author ID:36711 Share Posted November 28, 2008 Click HERE to download HijackThis.Click the Download button then select the link to Download HijackThis Installer.Double click on the HJTInstall.exe then click "Install". It will be installed by default here:C:\Program Files\Trend Micro\HijackThis...and A shortcut to the application will also be placed on your Desktop.The program will open automatically after installation.You can double click the icon that was placed on the Desktop to run subsequent hijackthis scans or you can use the icon inside the folder.The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.Click Do a system scan and save a logfile. Copy and paste the contents of that log in your next reply. Thanks!Hi,My log HJT - Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:21:29, on 28/11/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\Mixer.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\Program Files\Hercules\Video\Hercules 3DTweaker 3.0 LE\H3dTweaker.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\LogMeIn\x86\LogMeInSystray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\Program Files\Kontiki\KHost.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Hercules\Video\Hercules 3DTweaker 3.0 LE\D3D3DTwkAnim.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Kontiki\KService.exeC:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXEC:\WINDOWS\system32\devldr32.exeC:\Program Files\LogMeIn\x86\RaMaint.exeC:\Program Files\LogMeIn\x86\LogMeIn.exeC:\Program Files\LogMeIn\x86\LMIGuardian.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Outlook Express\msimn.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dllO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startupO4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXEO4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXEO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdcyd.exe] C:\WINDOWS\system32\kdcyd.exeO4 - HKLM\..\Run: [Hercules 3DTweaker 3.0] C:\Program Files\Hercules\Video\Hercules 3DTweaker 3.0 LE\H3dTweaker.exe -hideO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -allO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cabO16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cabO16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cabO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cabO16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cabO16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocxO16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100O17 - HKLM\System\CCS\Services\Tcpip\..\{CC1CDB36-9B5C-42B7-B236-AC6F32214786}: NameServer = 4.2.2.2,4.2.2.3O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exeO23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exeO23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe--End of file - 13025 bytes Link to post Share on other sites More sharing options...
1972vet Posted November 29, 2008 ID:36765 Share Posted November 29, 2008 OK...your log on 11/25 showed no infections but what threw me a curve is when you said on the 26th:A local professioal polished off our work by finding 2 more infections. He did this by connecting my HDD to his machine and scanning it. My PC is now much faster and working fine......because this log shows us that you now have a problem with the "zlob" trojan. What 2 infections did your local professional remove? I'd like to point out that while you appear to have a pretty good security setup, it's not complete without a third party firewall...which by the way, may have prevented this latest trojan intrusion. There also is some doubt that you need to have the volume of security layers that you do have. For instance, the "Internet Cleanup" bho you installed from "Aladdin Systems" alleges to provide protection from such intrusions but we see that it failed to protect your system this time around. This may also cause some conflict with "Tea Timer".The Spyware Doctor, Spybot's Tea Timer along with Symantec's Antivirus are fine but none of these will prevent web based intrusions...that's why I suggest the third party firewall.For now however, we need to have you run a manual update of your on board mbam application and run another "quick" scan but before you do...please be sure to disable the active protection afforded from Spybot's Tea Timer Registry protection and the Spyware Doctor's real time protection.To disable Spyware Doctor:Click the Spyware Doctor icon in the System Tray.Click Settings.Click Startup Settings under Pick a Category.Uncheck Run at Windows startup.Click Apply and Exit Spyware Doctor...and to disable Tea Timer: Run Spybot-S&D Go to the Mode menu, and make sure "Advanced Mode" is selected On the left hand side, choose Tools -> Resident Uncheck "Resident TeaTimer" and OK any prompts Restart your computer.Once your log is clean you can re-enable Spyware Doctor and Tea Timer but please...not before.Once you have disabled these, please update mbam and run the quick scan. Next, your Java application is out of date and causes a slight security risk as a result.Please follow these steps to remove older version Java components: Close any open programs you may have running, especially your web browser.Click Start-->Control Panel-->Add or Remove Programs.Click once on any item having Java Runtime Environment in it's name then click the "Remove" button.Not every version of Java will begin with "Java" so be sure to read each entry in the list.Repeat the third step above as many times as necessary to remove all versions of Java.***NOTE***If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.Navigate to and delete: C:\Program Files\Java<--the Java folder indicated in Bold Red Text (if found)Then go to this page.Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" (first download link) and click the "Download" button to the right. Select the platform for "Windows".Check the box that says: "I agree to the Java SE Runtime Environment # License Agreement", then click Continue...The page will refreshThen, click on the link to download Windows Offline Installation. Save it to your desktop.Now, from your desktop, double-click on the executable to install the newest version.Please select and install one of these free Firewall applications:ZoneAlarm Free VersionOutpost FreeKerioComodoWhen the installation completes successfully, reboot the computer. Please post back the latest mbam log. Thanks! Link to post Share on other sites More sharing options...
BWP Posted December 1, 2008 Author ID:37271 Share Posted December 1, 2008 OK...your log on 11/25 showed no infections but what threw me a curve is when you said on the 26th:...because this log shows us that you now have a problem with the "zlob" trojan. What 2 infections did your local professional remove? I'd like to point out that while you appear to have a pretty good security setup, it's not complete without a third party firewall...which by the way, may have prevented this latest trojan intrusion. There also is some doubt that you need to have the volume of security layers that you do have. For instance, the "Internet Cleanup" bho you installed from "Aladdin Systems" alleges to provide protection from such intrusions but we see that it failed to protect your system this time around. This may also cause some conflict with "Tea Timer".The Spyware Doctor, Spybot's Tea Timer along with Symantec's Antivirus are fine but none of these will prevent web based intrusions...that's why I suggest the third party firewall.For now however, we need to have you run a manual update of your on board mbam application and run another "quick" scan but before you do...please be sure to disable the active protection afforded from Spybot's Tea Timer Registry protection and the Spyware Doctor's real time protection.To disable Spyware Doctor:Click the Spyware Doctor icon in the System Tray.Click Settings.Click Startup Settings under Pick a Category.Uncheck Run at Windows startup.Click Apply and Exit Spyware Doctor...and to disable Tea Timer: Run Spybot-S&D Go to the Mode menu, and make sure "Advanced Mode" is selected On the left hand side, choose Tools -> Resident Uncheck "Resident TeaTimer" and OK any prompts Restart your computer.Once your log is clean you can re-enable Spyware Doctor and Tea Timer but please...not before.Once you have disabled these, please update mbam and run the quick scan. Next, your Java application is out of date and causes a slight security risk as a result.Please follow these steps to remove older version Java components: Close any open programs you may have running, especially your web browser.Click Start-->Control Panel-->Add or Remove Programs.Click once on any item having Java Runtime Environment in it's name then click the "Remove" button.Not every version of Java will begin with "Java" so be sure to read each entry in the list.Repeat the third step above as many times as necessary to remove all versions of Java.***NOTE***If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.Navigate to and delete: C:\Program Files\Java<--the Java folder indicated in Bold Red Text (if found)Then go to this page.Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" (first download link) and click the "Download" button to the right. Select the platform for "Windows".Check the box that says: "I agree to the Java SE Runtime Environment # License Agreement", then click Continue...The page will refreshThen, click on the link to download Windows Offline Installation. Save it to your desktop.Now, from your desktop, double-click on the executable to install the newest version.Please select and install one of these free Firewall applications:ZoneAlarm Free VersionOutpost FreeKerioComodoWhen the installation completes successfully, reboot the computer. Please post back the latest mbam log. Thanks!Hi,I use Internet Cleanup only at the end of an Internet session to remove Zulu Top Text which seems to be installed by numerous companies and banks and to which I object. No other software appears to detect or remove it. Then I always run CCleaner.You mention Symantic but I remoevd this some time ago in favour of PC Tools AntiVirus. I frequently run SpyBot, Ad-Aware and of course mbam.I removed all the Java software (lots of updates etc) and re-installed a fresh copy as instructed.I became a bit nervous of the Firewall software. ZoneAlarm reported "unable to find packet or patch" and Outpost promised an email ha d been sent allowing me to download it but that was several hours ago. I'm running the Win XP and PC Tools Firewalls, are these not enough?My PC is so much faster now. Again thanks for all your help, here's my mbam log -Malwarebytes' Anti-Malware 1.30Database version: 1440Windows 5.1.2600 Service Pack 301/12/2008 18:54:46mbam-log-2008-12-01 (18-54-46).txtScan type: Full Scan (C:\|F:\|)Objects scanned: 253416Time elapsed: 1 hour(s), 20 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
1972vet Posted December 2, 2008 ID:37429 Share Posted December 2, 2008 I use Internet Cleanup only at the end of an Internet session to remove Zulu Top Text which seems to be installed by numerous companies and banks and to which I object. No other software appears to detect or remove it. Then I always run CCleaner.You mention Symantic but I remoevd this some time ago in favour of PC Tools AntiVirus. I frequently run SpyBot, Ad-Aware and of course mbam.I removed all the Java software (lots of updates etc) and re-installed a fresh copy as instructed.I became a bit nervous of the Firewall software. ZoneAlarm reported "unable to find packet or patch" and Outpost promised an email ha d been sent allowing me to download it but that was several hours ago. I'm running the Win XP and PC Tools Firewalls, are these not enough?My PC is so much faster now. Again thanks for all your help, here's my mbam log -Your log shows that you still have Symantec installed and running...the live update service as well as the core antivirus elements for Norton Antivirus 2004. O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeThe log doesn't tell us if you keep your software up to date or not...it does however show us that it is installed and running on startup.I've not heard of "Zulu Top Text" before but glad you've found that the "Internet Cleanup" program removes it (whatever it is).The program from PC Tools, "Spyware Doctor" is NOT an antivirus program. It's name pretty much says it all...it is an anti-spyware application which does nothing to prevent the installation of a virus of any kind. This entry below:O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdcyd.exe] C:\WINDOWS\system32\kdcyd.exe...is from the zlob.DNS Changer infection.None of the logs you've produced so far, shows any evidence that this infection was removed...and it only appeared in your HijackThis log after your local professional connected your Hard Disk Drive to his machine according to your statement. However, it is remarkable that your system is now "clean and running faster now". Very glad to see you are happy with it's performance. Link to post Share on other sites More sharing options...
1972vet Posted December 2, 2008 ID:37430 Share Posted December 2, 2008 This issue appears resolved and the thread is closed to prevent others from posting here. Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts