1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved removing TrojanDownloader:Win32/VB.ZL

Discussion in 'Malware and Virus Removal Archive' started by HopefulChild, 2009/12/12.

Page 2 of 2
  1. 2009/12/15
    HopefulChild

    HopefulChild Inactive Thread Starter

    Joined:
    2009/12/12
    Messages:
    55
    Likes Received:
    0
    My computer seems to be running fine lately,but then again,I do have the content advisor turned on in IE so I don't know what would happen if I took it off.

    I've done the steps outlined and here's the latest hijackthis log-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:27:20 AM, on 12/15/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18865)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Acer\Empowering

    Technology\eDataSecurity\x86\eDSLoader.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5

    \BkupTray.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Microsoft Security

    Essentials\msseces.exe
    C:\Program Files\Acer\Empowering

    Technology\SysMonitor.exe
    C:\Program Files\Google\Google Desktop

    Search\GoogleDesktop.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Glary Utilities\memdefrag.exe
    C:\Program Files\Google\Google Desktop

    Search\GoogleDesktop.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Google\Google Desktop

    Search\GoogleDesktop.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Search Bar = Preserve
    R1 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet

    Explorer\Main,Start Page = http://illinoislottery.com/
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Page_URL =

    http://homepage.acer.com/rdr.aspx?

    b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1200
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Start Page =

    http://homepage.acer.com/rdr.aspx?

    b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1200
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Search,CustomizeSearch =
    R1 -

    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyServer = 77.103.153.29:9090
    R1 -

    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet

    Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7

    -4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-

    4ABF-8ECC-5164760863C6} - C:\Program Files\Common

    Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-

    A445-435b-BC74-9C25C1C588A9} - C:\Program

    Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-

    000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C

    -1E47-477e-A7DD-396DB0476E29} - C:\Program

    Files\Acer\Empowering Technology\eDataSecurity\x86

    \eDStoolbar.dll
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program

    Files\Acer\Empowering Technology\eDataSecurity\x86

    \eDSloader.exe
    O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program

    Files\Acer Arcade Live\Acer HomeMedia

    Connect\Kernel\DMS\PCMMediaSharing.exe
    O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech

    Infosystems\NTI Backup Now 5\BkupTray.exe "
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program

    Files\Acer\Acer Assist\launcher.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher]

    "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [MBBalloon] C:\Program

    Files\HOTALBUMMyBOX\MBBalloon.exe
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program

    Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled

    /showonfirst /reshowat=1800
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

    C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft

    Security Essentials\msseces.exe" -hide
    O4 - HKLM\..\Run: [Acer Empowering Technology Monitor]

    C:\Program Files\Acer\Empowering

    Technology\SysMonitor.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program

    Files\Google\Google Desktop Search\GoogleDesktop.exe"

    /startup
    O4 - HKCU\..\Run: [ehTray.exe]

    C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program

    Files\Glary Utilities\memdefrag.exe" /autostart
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%

    \Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL

    SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%

    \Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK

    SERVICE')
    O8 - Extra context menu item: Download with Star

    Downloader - C:\Program Files\Star Downloader\sdie.htm
    O9 - Extra button: Send to OneNote - {2670000A-7350-

    4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12

    \ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote -

    {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1

    \MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-

    03B49BCBFFFE} - C:\Program Files\Paltalk

    Messenger\Paltalk.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

    3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12

    \REFIEBAR.DLL
    O13 - Gopher Prefix:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE556CA-C45B-

    4ADB-BA8E-5D28D2EB92CB}: NameServer = 64.136.173.5

    64.136.164.77
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1

    \GOEC62~1.DLL
    O23 - Service: Acer HomeMedia Connect Service -

    CyberLink - C:\Program Files\Acer Arcade Live\Acer

    HomeMedia Connect\Kernel\DMS\CLMSServer.exe
    O23 - Service: Agere Modem Call Progress Audio

    (AgereModemAudio) - Agere Systems - C:\Windows\system32

    \agrsmsvc.exe
    O23 - Service: NTI Backup Now 5 Agent Service

    (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program

    Files\NewTech Infosystems\NTI Backup Now 5

    \Client\Agentsvc.exe
    O23 - Service: eDataSecurity Service - Egis Incorporated

    - C:\Program Files\Acer\Empowering

    Technology\eDataSecurity\x86\eDSService.exe
    O23 - Service: Empowering Technology Service (ETService)

    - Unknown owner - C:\Program Files\Acer\Empowering

    Technology\Service\ETService.exe
    O23 - Service: ForceWare Intelligent Application Manager

    (IAM) - Unknown owner - C:\Program Files\bin32

    \nSvcAppFlt.exe
    O23 - Service: Google Desktop Manager 5.7.808.7150

    (GoogleDesktopManager-080708-050100) - Google -

    C:\Program Files\Google\Google Desktop

    Search\GoogleDesktop.exe
    O23 - Service: Inkjet Printer/Scanner Extended Survey

    Program (IJPLMSVC) - Unknown owner - C:\Program

    Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: LightScribeService Direct Disc Labeling

    Service (LightScribeService) - Hewlett-Packard Company -

    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown

    owner - C:\Program Files\bin32\nSvcIp.exe
    O23 - Service: NTI Backup Now 5 Backup Service

    (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program

    Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    O23 - Service: NTI Backup Now 5 Scheduler Service

    (NTISchedulerSvc) - Unknown owner - C:\Program

    Files\NewTech Infosystems\NTI Backup Now 5

    \SchedulerSvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) -

    NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS)

    (RichVideo) - Unknown owner - C:\Program

    Files\CyberLink\Shared Files\RichVideo.exe

    --
    End of file - 7511 bytes
     
    HopefulChild,
    #21
  2. 2009/12/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Make sure, "word wrap" in Notepad is turned off, because the log is hard to read.


    Your computer is clean :)

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    2. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    3. Restart computer.

    4. Turn System Restore on.

    5. Make sure, Windows Updates are current.

    [SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    8. Run defrag at your convenience.

    9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    10. Please, let me know, how is your computer doing.
     
    broni,
    #22
    HopefulChild likes this.


  3. to hide this advert.

  4. 2009/12/16
    HopefulChild

    HopefulChild Inactive Thread Starter

    Joined:
    2009/12/12
    Messages:
    55
    Likes Received:
    0
    sorry for the delay-I was making sure everything was Ok during the day after I took off the ratings/content advisor.
    And everything did turn out fine-so I do guess it is fixed...I thank you so much Broni for a job very well done.
    Now if I only could figure out how to find the "solved "button.:)
     
    HopefulChild,
    #23
  5. 2009/12/16
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
    In malware section only I can mark it "Resolved ", which I'm going to do right now.
    Happy surfing :)
     
    broni,
    #24
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...