Solved Trojan found on my Room pc.

Forsaken Knight · 2011/01/10

Well, the thing is, the modem for my household internet connection is on the oppoosite side of my house, next to where the pc my grand parents use. The reason there are not two land lines, ie, two modems in my household for each desktop pc, is because, well, I can't afford it. So, that is why I have not tested the physical land line connection.

I uninstalled my version of avast, that 4.8, and the connection is no better than before.

broni · 2011/01/10

OK, let's finish cleaning process and see what will happen.
I suggest, you install the newest Avast version, as I don't want you to be without any protection.

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

Forsaken Knight · 2011/01/10

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
avast! Free Antivirus
ZoneAlarm
ZoneAlarm Toolbar
ZoneAlarm Spy Blocker
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 23
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player
Adobe Reader 7.0
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
Windows Defender MsMpEng.exe
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````

Forsaken Knight · 2011/01/10

"broni said: ↑

OK, let's finish cleaning process and see what will happen.
I suggest, you install the newest Avast version, as I don't want you to be without any protection.

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

Click to expand...

I installed the latest version of both free versions of avast and zone alarm right now. I have done 2/3 of your instructions thus far. I will do the third part of your instructions now.

broni · 2011/01/10

Uninstall:
Java(TM) 6 Update 5
Java(TM) 6 Update 7

============================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.
On this page:

make sure, you have both boxes UN-checked AND (important!) click on Decline button

Forsaken Knight · 2011/01/10

I should note something.

After I did the TFC scan, there was 42 mb of the results from the initial scan. I got the message to restart my pc. I attempted to do so, but a program/window in the background called "Force Field" or something like tha came up. I had the option to end the task now or cancel. This message popped up from that standard task manager message when there is a pause in the system to shutdown, so that a program can finish doing what it is doing. I chose to close that window. I then clicked exit on the TFC window, when I realized it was not restarting my pc. I then hit the combo Ctrl+Alt+Del, and went to the File tab of the Task Manager. I then clicked on New Task, and inputed "C: "; this didn't bring up any new window, except a message that the path could not be found. I do this method rarely when no windows are open and all icons on the desktop are unavailable to be clicked on. I do this method to sort of reset the desktop to its normal view. It helps to keep task manager up most of the time, because there are times that you can not open task manager, but if it open, then you can do something. Just thought I should give this little bit of tip that I do in order to deal with the background that doesn't come back up. I then ran TFC after phyically disconnecting my wireless router. The scan ran quicker, with fewer mega bytes to be removed, and was successful too. I relogged in to continue with the rest of the instructions.

Forsaken Knight · 2011/01/10

D:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application
D:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application
D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys Win32/Patched.BG application

this is what the eset online scan found.

broni · 2011/01/10

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL

:Services

:Reg

:Files
D:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL 
D:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL 
D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
===============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:
Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.

Forsaken Knight · 2011/01/11

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
D:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL moved successfully.
D:\Program Files\ZoneAlarmSB\bar\1.bin\Z4PLUGIN.DLL moved successfully.
D:\WINDOWS\$NtUninstallKB941644$\tcpip.sys moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam Arucas
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

User: Javier Pelligrini
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 1056888 bytes
->Temporary Internet Files folder emptied: 33301 bytes

User: Nelson (Dad) Arucas
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nelson Ramon Arucas
->Temp folder emptied: 1867016 bytes
->Temporary Internet Files folder emptied: 13785277 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 427 bytes

User: NetworkService
->Temp folder emptied: 1983480 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Niomi June Arucas
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1048270 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 19.00 mb

[EMPTYFLASH]

User: Adam Arucas

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Javier Pelligrini

User: LocalService

User: Nelson (Dad) Arucas

User: Nelson Ramon Arucas
->Flash cache emptied: 0 bytes

User: NetworkService

User: Niomi June Arucas
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.20.1 log created on 01112011_012143

Files\Folders moved on Reboot...
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temp\~DF3282.tmp moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temp\~DF3E1E.tmp moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\XXDACFWR\814395874[1].htm moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\IPHGD06I\audmeasure[1].gif moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\IPHGD06I\p-01-0VIaSjnOLg[1].gif moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\IPHGD06I\p-01-0VIaSjnOLg[2].gif moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\G6L14NN8\00b42e3a-b809-49b2-b433-cc45b2bc89d33rd_party_BBS[1].htm moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\G6L14NN8\iframescript[1].htm moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\FJN5M1LV\97229-active-trojan-found-my-room-pc-4[1].html moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\FJN5M1LV\al[1].htm moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\Content.IE5\FJN5M1LV\iframescript[1].htm moved successfully.
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
File move failed. D:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
File\Folder D:\WINDOWS\temp\ZLT01f5b.TMP not found!

Registry entries deleted on Reboot...

Forsaken Knight · 2011/01/11

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Adam Arucas
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Javier Pelligrini
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 1060424 bytes
->Temporary Internet Files folder emptied: 33301 bytes

User: Nelson (Dad) Arucas
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Nelson Ramon Arucas
->Temp folder emptied: 1179515 bytes
->Temporary Internet Files folder emptied: 14082663 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 405 bytes

User: NetworkService
->Temp folder emptied: 997224 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Niomi June Arucas
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1017454 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 18.00 mb

[EMPTYFLASH]

User: Adam Arucas

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Javier Pelligrini

User: LocalService

User: Nelson (Dad) Arucas

User: Nelson Ramon Arucas
->Flash cache emptied: 0 bytes

User: NetworkService

User: Niomi June Arucas
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.20.1 log created on 01112011_015321

Files\Folders moved on Reboot...
D:\Documents and Settings\Nelson Ramon Arucas\Local Settings\Temp\~DF4A7A.tmp moved successfully.
File move failed. D:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
File\Folder D:\WINDOWS\temp\ZLT03168.TMP not found!

Registry entries deleted on Reboot...

Forsaken Knight · 2011/01/11

I did the first and second otl scans. I skipped step 2. I'd like to know if I can hold onto the tools like I asked in the last malware thread. I like being prepared, and the more I have in my arsenal, the better I will be in the future. There is a reason step 3 had to be skipped. I need a new cd to re-establish my microsoft genuine on my pc. I've had trouble about a year or so ago with it, and it bugged out and the result was that MGA can't see my pc as legit. I have to buy a new cd in order to fix that. As far as step 4. I only logged onto windowsbbs on my room pc since I got the internet sort of working again. So, I don't think it would be to much of a deal with that. I was the only one who used my room pc at all. I did step 5. I will do steps 6 and 7 after posting this. I did step 8. I did step 9. Haven't done step 10 yet; kind of hesitant. I read that link in step 11 before. None of those errors in internet search I do. I'm cautious, so, I'm baffled as to how this happened myself. I'm doing step 12 by writhing all this down for this post.

So, amount the twelve, or rather thirteen items in your latest post, I have step 2, 3, 4, 6, 7, and 10. Will reply with what other steps in the same post of yours or the other posts, that I haven't clarified yet.

broni · 2011/01/11

So, do we have any current issues?

Forsaken Knight · 2011/01/11

"broni said: ↑

So, do we have any current issues?
Click to expand...

Well, the Secunia PSI window closes when I try to open it up. Yesterday, it showed my system at 100%. Now today, it shows it at 91%. I try to open it up, and when the window pops up, a moment passes before the window closes. I do not know how to address this.

Also, I'm not sure when exactly, but when I was doing the downloads, upgrades, and installs yesterday, I at some point installed an ebay icon on my pc. I would like help getting rid of it. I do not like ebay at all, and I do not know when that option was presented. When I put the mouse cursor over the icon, either the one on the desktop or the one that is in the all programs button of the start menu, I get to see a link to the following.

http://www.adon-demand.de/red/2303

I do not know when I chose for that icon to be installed on my pc, or if that option was ever presented. Either way, I would like help getting rid of it.

Also, the main source of this thread. About the trojan that was found initially by my previous version of avast, that was quickly deleted. I took the following screen shot before I started this thread. I also entailed about this finding at the beginning of this thread. I would like to ask the following.

Has this virus/trojan been found and removed by the steps you instructed me to do thus far for my room pc?

http://img690.imageshack.us/i/82387572.jpg/

If yes, then I can breath a sigh of relief.

So, basically three things. Scurnia PSI, EBay icon, and double checking initial purpose of this thread.

broni · 2011/01/11

Starting with the last question...your computer is totally clean.

eBay - it should be listed in Add\Remove; simply uninstall it; always pay attention to every screen, when installing something new and always select "custom" installation, so you can see if any garbage is trying to get on your computer.

Secunia...I suggest a very friendly Secunia forum: http://secunia.com/community/forum/

broni · 2011/01/16

The issue seems to be resolved.

Log in or Sign up

Solved Trojan found on my Room pc.

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Trojan found on my Room pc.

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

Forsaken Knight Well-Known Member Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Useful Searches