1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Help with removing Trojan Horse

Discussion in 'Malware and Virus Removal Archive' started by JohnL, 2006/06/18.

  1. 2006/06/18
    JohnL

    JohnL Inactive Thread Starter

    Joined:
    2004/05/12
    Messages:
    35
    Likes Received:
    0
    I have Avast home version and just about a week ago, it kept telling me a "A Virus has been detected" - it's Win32:Zlob-BN (Trj) - each time it happens, I am told by Avast to move it to the Chest.

    It has now happened numerous times - I have updated XoftSpySE and run it several times, but it doesn't seem to remove it.

    Does anyone have a suggestion please?
    :mad:
     
    JohnL,
    #1
  2. 2006/06/18
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Hi John :)

    Please download the trial version of Ewido. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu ". Once installed please update it by clicking on the Update button. Do not run it yet.

    Please download HijackThis through Quicklinks in my signature and save it to a folder on your hard drive, say C:\HJT - not to the Desktop or a temporary location. When entries are fixed with HJT a backup is made to the folder from which HJT is run and this must be in a permanent location.

    Please download SmitfraudFix and unzip the contents to a folder on your Desktop.

    Open the SmitfraudFix folder and double click on Smitfraudfix.cmd

    If a Security Warning pops up hit the Run button

    A command window appears > press any key to continue

    On the line with the flashing cursor 'Enter your choice (1.2 ....) type 1 and press Enter

    The program scans your system and when the scan has completed a Notepad window opens containing the scan report - a copy of this file is saved as C:\rapport.txt.

    Boot into Safe Mode and log onto your usual account.
    Run Ewido ....

    Click on Scanner and select a 'Complete System Scan'.
    If anything is found during scanning you will be prompted to clean the files.
    Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" and then click on OK

    Once the scan has completed save the report to a known location.

    Stay in Safe mode ....

    Open the folder in which you placed HJT and double click on hijackthis.exe and select Scan and save a log file - this will be saved in the folder from which you ran HJT.

    Reboot into Normal mode and post the log here together with the Ewido log and the SmitfraudFix C:\rapport.txt
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2006/06/19
    JohnL

    JohnL Inactive Thread Starter

    Joined:
    2004/05/12
    Messages:
    35
    Likes Received:
    0
    Pete - thanks for your comprehensive instructions, which, not being of a technical mind, I performed with some trepidation!

    The reports are as follows:

    SmitFraudFix v2.62

    Scan done at 10:25:33.59, 20/06/2006
    Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\regperf.exe FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1

    C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source "= "About:Home "
    "SubscribedURL "= "About:Home "
    "FriendlyName "= "My Current Home Page "


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{05a91164-3c96-47d6-aa74-2c855791b2d0} "= "incaged "

    [HKEY_CLASSES_ROOT\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ......................................................................................................

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 11:08:56, 20/06/2006
    + Report-Checksum: 26F21B95

    + Scan result:

    C:\Documents and Settings\User\Cookies\user@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\User\Cookies\user@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\User\Cookies\user@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\User\Cookies\user@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\G9MJ4TUB\gdnFR2218[1].exe -> Downloader.Small.cxq : Cleaned with backup
    C:\Program Files\Media-Codec -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld3C13.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld6BE3.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\1024\ld78F3.tmp -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\system32\ld101.tmp -> Downloader.Zlob.sz : Cleaned with backup
    C:\WINDOWS\system32\regperf.exe -> Downloader.Zlob.sz : Cleaned with backup


    ::Report End

    ....................................................................................................

    Now what please?

    JohnL
     
    JohnL,
    #3
  5. 2006/06/19
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Hi John

    That's fine ....

    Ewido has cleaned up a few trojans and SmitfraudFix has found some other nasties too!

    You did not complete my instructions :( - I see no HJT log. Not to worry I shall need to see a fresh log after we have cleaned up a few things ....

    You may like to print out these instructions as you will be unable to connect to the Internet to read them while in Safe Mode.

    Boot into Safe Mode and log onto your usual account.
    In Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

    The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process - a copy of this file is saved as C:\rapport.txt.

    Stay or reboot into Safe mode ....

    Open the folder in which you placed HJT and double click on hijackthis.exe and select Scan and save a log file - this will be saved in the folder from which you ran HJT.

    Reboot into Normal Mode and post the contents of the SmitfraudFix log located at C:\rapport.txt and the HJT log into this thread.
     
    PeteC,
    #4
  6. 2006/06/20
    JohnL

    JohnL Inactive Thread Starter

    Joined:
    2004/05/12
    Messages:
    35
    Likes Received:
    0
    Thanks Pete -

    results of the scans are as follows:

    SmitFraudFix v2.62

    Scan done at 15:37:21.45, 20/06/2006
    Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{05a91164-3c96-47d6-aa74-2c855791b2d0} "= "incaged "

    [HKEY_CLASSES_ROOT\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\DOCUME~1\User\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ....................................................................................................

    Logfile of HijackThis v1.99.1
    Scan saved at 15:44:20, on 20/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\HJT.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {000D7DCF-EF16-4431-4E0E-0F072DDF5711} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {0260882B-CBB4-4900-4BA4-16E51650FF79} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {05DC0EA9-115A-1022-4D59-40E0413DD10B} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {077D3A8C-73B5-6531-A259-1FF96D4D4E27} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {0900CCF4-BA96-5D2A-4F0C-120D0AB0F95C} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {0FBDAA69-5485-722C-675D-50FB61F19F51} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {10AFC518-5766-4861-D63F-27750547E01B} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {16F276A0-905C-14CA-B13E-1E226861AAF3} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {1A6CBE62-49FF-39E6-BD30-56B865C67990} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {1F9EA328-7002-7174-CA68-6A0F4E2EC176} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {1FD16590-4EC8-2A48-CD1B-270D05D63200} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {20CB6939-2CC1-0931-982A-4B7726C04D9B} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {221825A3-2A4C-5C60-3F13-649C6C52795F} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2901245A-5EF0-61FF-A5B4-33E70894CD92} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {29283720-FE93-1971-892A-1F8A081B0737} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2C0DE3AF-39F7-6093-1499-11D91EA5400D} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2C137F73-A2A4-0325-9E5D-64880F8151BE} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2C16AA6D-318E-428A-EEC6-1F911F6BA4E7} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2EDB5EA3-2B9E-4ADA-AAD3-70B24B402E25} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {304DEB1B-2038-0CEC-2124-1785007449DC} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {310844A3-B1EE-17CC-93DF-5CAB75BF16A4} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {34C27CF0-A7EC-470F-DAC4-744208974269} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {36B62F7E-F813-156C-C963-02457E54720A} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {3A5808B9-FD1A-6660-3709-6C6F1DC2D75D} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {3EB71DCF-6D94-2FFA-497E-4A296FFD3C59} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {44526176-6C22-20E3-2960-1791255B81E0} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4507D294-A43D-5D5B-C087-68A4792F37BD} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {462E935A-D756-57AD-3E5F-79B2732D2B86} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {49BC81E4-D334-65A3-F62E-52EA40739EB9} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4E66304D-CC4E-411D-5F02-46A34C552097} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4EDCB80A-B3E3-688C-D8AF-5B8C311080DF} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4EDEA501-F08D-5ABA-1337-1BAC5DF7D95D} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {50575317-52ED-04CB-BC6B-13B97F1D6650} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {5066D0BB-AC22-2214-33AF-514F6A56F0C3} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {572BC33F-0648-5DE1-D59B-04051AAFEA5F} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {583C5398-04FD-7B8F-9E5C-06787B5C7408} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {59982E6E-C6A5-6411-A328-3E3C598604E1} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {5B7713B8-94BC-4296-9A82-1C8C3D54FA06} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {5C766E9E-1482-1B50-F948-19E7538954C1} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {66736640-C4EE-0E11-1E41-7B2D7AABB02A} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {677B2AE0-EFE2-3010-ED10-7FB76C3515AC} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {67BDD50B-AB87-0065-4B72-03F211E0F281} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {6B31C26E-8466-5E77-85D2-1DA744EF9AAD} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {72EDB55C-E6C5-7D8A-930E-47397D5360F3} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {76945234-5CEB-1D78-D81C-64A41FCA89C0} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {77A21385-44AC-5851-5D65-5411140DE8BB} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {791F5807-8279-547D-F2E8-301F2F2FFB31} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {7A0400EC-C2C5-50DA-DFB4-6C284584E904} - http://85.255.113.214/1/gdnFR2218.exe
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    ....................................................................................................

    Also to say that since I did the first scans as instructed, the Trojan Horse
    message from AVAST hasn't appeared at all!

    Thanks for all your help!
    John
     
    JohnL,
    #5
  7. 2006/06/20
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Nearly there, John ....

    Scan again with HJT (select scan only) and place a checkmark against these entries and then click on Fix selected ....

    O16 - DPF: {000D7DCF-EF16-4431-4E0E-0F072DDF5711} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {0260882B-CBB4-4900-4BA4-16E51650FF79} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {05DC0EA9-115A-1022-4D59-40E0413DD10B} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {077D3A8C-73B5-6531-A259-1FF96D4D4E27} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {0900CCF4-BA96-5D2A-4F0C-120D0AB0F95C} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {0FBDAA69-5485-722C-675D-50FB61F19F51} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {10AFC518-5766-4861-D63F-27750547E01B} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {16F276A0-905C-14CA-B13E-1E226861AAF3} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {1A6CBE62-49FF-39E6-BD30-56B865C67990} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {1F9EA328-7002-7174-CA68-6A0F4E2EC176} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {1FD16590-4EC8-2A48-CD1B-270D05D63200} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {20CB6939-2CC1-0931-982A-4B7726C04D9B} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {221825A3-2A4C-5C60-3F13-649C6C52795F} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2901245A-5EF0-61FF-A5B4-33E70894CD92} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {29283720-FE93-1971-892A-1F8A081B0737} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2C0DE3AF-39F7-6093-1499-11D91EA5400D} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2C137F73-A2A4-0325-9E5D-64880F8151BE} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2C16AA6D-318E-428A-EEC6-1F911F6BA4E7} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {2EDB5EA3-2B9E-4ADA-AAD3-70B24B402E25} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {304DEB1B-2038-0CEC-2124-1785007449DC} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {310844A3-B1EE-17CC-93DF-5CAB75BF16A4} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {34C27CF0-A7EC-470F-DAC4-744208974269} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {36B62F7E-F813-156C-C963-02457E54720A} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {3A5808B9-FD1A-6660-3709-6C6F1DC2D75D} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {3EB71DCF-6D94-2FFA-497E-4A296FFD3C59} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {44526176-6C22-20E3-2960-1791255B81E0} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4507D294-A43D-5D5B-C087-68A4792F37BD} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {462E935A-D756-57AD-3E5F-79B2732D2B86} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {49BC81E4-D334-65A3-F62E-52EA40739EB9} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4E66304D-CC4E-411D-5F02-46A34C552097} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4EDCB80A-B3E3-688C-D8AF-5B8C311080DF} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {4EDEA501-F08D-5ABA-1337-1BAC5DF7D95D} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {50575317-52ED-04CB-BC6B-13B97F1D6650} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {5066D0BB-AC22-2214-33AF-514F6A56F0C3} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {572BC33F-0648-5DE1-D59B-04051AAFEA5F} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {583C5398-04FD-7B8F-9E5C-06787B5C7408} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {59982E6E-C6A5-6411-A328-3E3C598604E1} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {5B7713B8-94BC-4296-9A82-1C8C3D54FA06} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {5C766E9E-1482-1B50-F948-19E7538954C1} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {66736640-C4EE-0E11-1E41-7B2D7AABB02A} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {677B2AE0-EFE2-3010-ED10-7FB76C3515AC} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {67BDD50B-AB87-0065-4B72-03F211E0F281} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {6B31C26E-8466-5E77-85D2-1DA744EF9AAD} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {72EDB55C-E6C5-7D8A-930E-47397D5360F3} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {76945234-5CEB-1D78-D81C-64A41FCA89C0} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {77A21385-44AC-5851-5D65-5411140DE8BB} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {791F5807-8279-547D-F2E8-301F2F2FFB31} - http://85.255.113.214/1/gdnFR2218.exe
    O16 - DPF: {7A0400EC-C2C5-50DA-DFB4-6C284584E904} - http://85.255.113.214/1/gdnFR2218.exe

    Reboot, scan again with HJT and post the log here.
     
    PeteC,
    #6
  8. 2006/06/21
    JohnL

    JohnL Inactive Thread Starter

    Joined:
    2004/05/12
    Messages:
    35
    Likes Received:
    0
    Morning Pete -
    Have done as instructed - here is the scan report:

    Logfile of HijackThis v1.99.1
    Scan saved at 09:58:12, on 21/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\SPAMfighter\SFAgent.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\LVComS.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\Logitech\Video\FxSvr2.exe
    C:\Program Files\HJT.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
     
    JohnL,
    #7
  9. 2006/06/21
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Morning John :)

    Your log is clean - you're 'good to go'.

    Turn off System Restore, reboot and turn it back on again. Some of your restore points will be inevitably infected - turning off System Restore will delete all the restore points.

    Any remaining problems?

    You might like to read this ....

    Keep your Computer free from Viruses, Trojans, Spyware and other Malware
     
    PeteC,
    #8
  10. 2006/06/21
    JohnL

    JohnL Inactive Thread Starter

    Joined:
    2004/05/12
    Messages:
    35
    Likes Received:
    0
    Thanks a million Peter!
    :) :) :)
     
    JohnL,
    #9
  11. 2006/06/21
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    A pleasure, John :)
     
    PeteC,
    #10

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...