Solved

How to remove trojan.ZOB from computer

Posted on 2007-12-02
19
2,008 Views
Last Modified: 2013-11-22
I did something very stupid. I thought my Toshiba laptop was protected. It has XP home and 2 GB of RAM. It has all updated Norton virus protection and SpySweeper. I had the no so bright idea of attaching an infected harddrive via a USB cable in an enclosure to clean thishard drive and then put it back into another computer fro m whence it came.  Unfortunately, there must be some undectable exe file which generates infected zob files which is now on my laptop.  My virus protection catches them, but it is almost like a DOS attack because the messages of detection and capture are continual and I cannot use the computer.   I have scanned it twice with Norton and Spysweeper. They catch the files, but not the exe file that seems to be generating them.  I took my laptop off the network and disabled file recovery.  Norton just says to run a Norton scan . That really is not good enough.  I went into the registry and could not find anything that I recognized as suspcious.  Help!!
0
Comment
Question by:cpsimon
  • 7
  • 5
  • 4
  • +2
19 Comments
 
LVL 4

Expert Comment

by:scottdorsey
Comment Utility
If you read what Norton says it also tells you how to remove it from the registry which will be enough to stop it working.

3 things to try:

1) Windows system restore if it's turned on.

2) Removal tool:

http://www.zlob-removal.com.removal-instructions.com/removezlob.html

3) Manual removal:

http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99

0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 100 total points
Comment Utility
Sounds like Smitfraud to me.

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to clean up temp files, cookies, ect... and to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

Use ATFCleaner to clean up temp files, ect...
http://www.atribune.org/ccount/click.php?id=1

AVG AS link:
http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=asf

 

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
If problem persists, also run Combofix.

Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com  or attach as code snippet for us to check please.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
 

Author Comment

by:cpsimon
Comment Utility
I have spent the entire day trying to get rid of this.  Norton is useless. It detects the files after they have been written to the Temp file and then deletes them. It does not block them from getting on.  I have run AVG, Norton and spysweeper.  I also did it in safemode.  SMitfraudfixit.exe did not fix it.  I have now run Combofix and uploaded the log file to EE-stuff.  I do not know how to put my name on it.  There was no question ID. It was a log.txt file. How will you know it pertains to my question? I have therefore, attached as code snippet.  When I am in safemode, I just delete the files in temp, and quarantine in both spysweeper and Norton.  It does not create any new files until I go into normal mode.  Please help. Thanks.
ComboFix 07-12-02.7 - Claudia 2007-12-02 23:25:00.1 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.431 [GMT -5:00]

Running from: C:\Documents and Settings\Claudia\Desktop\ComboFix.exe

 * Created a new restore point

.
 

(((((((((((((((((((((((((   Files Created from 2007-11-03 to 2007-12-03  )))))))))))))))))))))))))))))))

.
 

2007-12-02 20:08 . 2007-12-02 20:09	7,102	--a------	C:\WINDOWS\system32\tmp.reg

2007-12-02 19:42 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe

2007-12-02 19:42 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe

2007-12-02 19:42 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe

2007-12-02 19:42 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe

2007-12-02 19:42 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe

2007-12-02 18:44 . 2007-12-02 18:44	2	--a------	C:\WINDOWS\msoffice.ini

2007-12-02 18:34 . 2007-12-02 19:33	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\U3

2007-12-02 18:26 . 2007-12-02 18:26	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft

2007-12-02 17:59 . 2007-12-02 17:59	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\Grisoft

2007-12-02 17:56 . 2007-05-30 07:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-12-02 17:55 . 2007-12-02 17:55	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft

2007-12-02 16:51 . 2007-12-02 16:51	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Webroot

2007-12-02 16:41 . 2007-12-02 16:41	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Zeon

2007-12-02 16:30 . 2007-12-02 16:30	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Ipswitch

2007-11-30 12:28 . 2007-11-30 12:28	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\Yahoo!

2007-11-30 12:28 . 2007-11-30 12:28	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\Yahoo!

2007-11-30 12:28 . 2007-11-30 12:28	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

2007-11-30 12:20 . 2007-11-30 12:20	<DIR>	d--------	C:\Program Files\Common Files\Scanner

2007-11-30 12:20 . 2007-11-30 12:20	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\Logitech

2007-11-30 12:19 . 2007-11-30 12:19	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf

2007-11-30 12:18 . 2007-11-30 12:18	0	--ah-----	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2007-11-30 12:16 . 2007-04-11 15:33	1,419,024	--a------	C:\WINDOWS\system32\WdfCoInstaller01005.dll

2007-11-30 12:16 . 2007-04-11 15:32	56,080	--a------	C:\WINDOWS\KHALMNPR.Exe

2007-11-30 12:16 . 2007-04-11 15:32	36,112	--a------	C:\WINDOWS\system32\drivers\LMouFilt.Sys

2007-11-30 12:16 . 2007-04-11 15:32	34,832	--a------	C:\WINDOWS\system32\drivers\LHidFilt.Sys

2007-11-30 12:15 . 2007-04-23 04:00	163,840	--a------	C:\WINDOWS\system32\kemutb.dll

2007-11-30 12:15 . 2007-04-23 04:00	135,168	--a------	C:\WINDOWS\system32\KemUtil.dll

2007-11-30 12:15 . 2007-04-23 04:00	110,592	--a------	C:\WINDOWS\system32\KemWnd.dll

2007-11-30 12:15 . 2007-04-23 04:00	69,632	--a------	C:\WINDOWS\system32\KemXML.dll

2007-11-28 23:53 . 2007-11-29 00:42	36,352	--a------	C:\joleeA 10.doc

2007-11-22 01:32 . 2007-10-11 20:57	195,096	--a------	C:\WINDOWS\system32\lvci1150.dll

2007-11-22 01:31 . 2007-10-11 21:00	41,752	--a------	C:\WINDOWS\system32\drivers\LVUSBSta.sys

2007-11-22 01:31 . 2007-11-29 21:21	0	--a------	C:\WINDOWS\system32\drivers\logiflt.iad

2007-11-22 01:18 . 2007-12-02 17:54	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\skypePM

2007-11-22 01:18 . 2007-11-22 01:18	32	--a------	C:\Documents and Settings\All Users\Application Data\ezsid.dat

2007-11-22 01:16 . 2007-11-22 01:16	<DIR>	d--------	C:\Program Files\Common Files\Skype

2007-11-20 01:47 . 2007-11-20 01:47	54,156	--ah-----	C:\WINDOWS\QTFont.qfn

2007-11-20 01:47 . 2007-11-20 01:47	1,409	--a------	C:\WINDOWS\QTFont.for

2007-11-11 22:28 . 2001-08-10 07:00	1,262,956	---------	C:\WINDOWS\system32\XMNT2001.EXE

2007-11-11 22:27 . 2007-11-11 22:40	<DIR>	d--------	C:\Program Files\PowerQuest

2007-11-11 10:31 . 2007-11-11 10:38	<DIR>	d--------	C:\Symantec Ghost Installer
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-03 04:48	---------	d-----w	C:\Program Files\Symantec AntiVirus

2007-12-03 04:33	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\Skype

2007-12-03 00:36	---------	d-----w	C:\Program Files\Pure Networks

2007-12-03 00:36	---------	d-----w	C:\Program Files\Common Files\AOL

2007-12-02 23:46	---------	d-----w	C:\Program Files\Toshiba Games

2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\Mickey\Application Data\AOL

2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\AOL

2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL

2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\AOL

2007-11-30 17:20	---------	d-----w	C:\Program Files\Yahoo!

2007-11-30 17:16	---------	d-----w	C:\Program Files\Common Files\Logitech

2007-11-30 17:15	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2007-11-30 17:15	---------	d-----w	C:\Program Files\Logitech

2007-11-30 17:15	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Logitech

2007-11-30 02:21	0	----a-w	C:\WINDOWS\system32\drivers\lvuvc.hs

2007-11-26 07:18	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\U3

2007-11-22 06:33	---------	d-----w	C:\Program Files\Common Files\LogiShrd

2007-11-22 06:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\LogiShrd

2007-11-22 06:16	---------	d-----w	C:\Program Files\Skype

2007-11-22 06:16	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Skype

2007-11-20 01:14	---------	d-----w	C:\Program Files\Palm

2007-11-15 07:16	---------	d-----w	C:\Program Files\Mozilla Thunderbird

2007-11-11 16:04	---------	d-----w	C:\Program Files\Common Files\Symantec Shared

2007-11-11 16:01	---------	d-----w	C:\Program Files\Symantec

2007-11-11 16:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec

2007-10-29 18:15	---------	d-----w	C:\Program Files\MSECache

2007-10-28 18:19	---------	d-----w	C:\Program Files\Filao

2007-10-25 19:44	3,034	----a-w	C:\Documents and Settings\Claudia\Application Data\SAS7_000.DAT

2007-10-23 03:28	164	----a-w	C:\install.dat

2007-10-19 18:16	2,109,976	----a-w	C:\WINDOWS\system32\drivers\Lvckap.sys

2007-10-16 01:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\ScanSoft

2007-10-16 01:39	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\ScanSoft

2007-10-12 02:01	23,832	----a-w	C:\WINDOWS\system32\drivers\lvuvcflt.sys

2007-10-12 02:00	3,647,384	----a-w	C:\WINDOWS\system32\drivers\lvuvc.sys

2007-10-12 01:59	1,920,920	----a-w	C:\WINDOWS\system32\drivers\lvpopflt.sys

2007-10-11 23:59	25,624	----a-w	C:\WINDOWS\system32\drivers\LVPr2Mon.sys

2007-10-11 23:59	2,142,488	----a-w	C:\WINDOWS\system32\drivers\LVMVdrv.sys

2007-10-11 12:25	---------	d-----w	C:\Program Files\PAL

2007-10-07 23:31	---------	d-----w	C:\Program Files\Microsoft Works

2007-10-07 23:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help

2007-10-01 20:40	1,526,072	----a-w	C:\WINDOWS\WRSetup.dll

2007-06-22 20:32	563,712	----a-w	C:\Documents and Settings\Claudia\gotomypc_370.exe

2002-07-26 22:02	153,088	----a-w	C:\Program Files\UNWISE.EXE

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48]

"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-31 22:23]

"LogitechSetup"="D:\setup.exe" []

"OpAgent"="OpAgent.exe" []

"LaCie Backup"="C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe" [2006-01-24 08:55]

"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" []
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]

"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2005-12-22 00:29]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]

"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 17:02]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 03:34]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 03:32]

"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-18 06:37]

"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 09:29 C:\WINDOWS\agrsmmsg.exe]

"NDSTray.exe"="NDSTray.exe" []

"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]

"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]

"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []

"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 14:37]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 13:41]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 15:15]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 15:15]

"PDF4 Registry Controller"="C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-22 18:09]

"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]

"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 11:01]

"USB2Check"="RUNDLL32.exe" [2004-08-10 07:00 C:\WINDOWS\system32\rundll32.exe]

"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

"ScanSoft OmniPage 16-reminder"="C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 08:50]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-11 12:01]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-11 11:58]

"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2006-11-16 10:01]

"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2006-06-15 01:40]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 15:40]
 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-09 19:36:06]

DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2007-02-01 23:01:13]

HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]

Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-31 22:23:37]

Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-30 12:15:48]

Metamail Trust Manager.lnk - C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2006-03-09 22:23:11]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

psqlpwd.dll 2005-12-22 00:42 40448 C:\WINDOWS\system32\psqlpwd.dll
 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ-290_ZQ-290II Synchronization Software.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OZ-290_ZQ-290II Synchronization Software.lnk

backup=C:\WINDOWS\pss\OZ-290_ZQ-290II Synchronization Software.lnkCommon Startup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]

			CFSServ.exe -NoClient

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-10-06 08:20	122940	--a------	C:\WINDOWS\system32\dla\DLACTRLW.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]

			C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe -r C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]

			C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-05-26 11:45	257088	--a------	C:\Program Files\iTunes\iTunesHelper.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

			KHALMNPR.EXE

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]

			C:\Program Files\Logitech\Video\CameraAssistant.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

			C:\Program Files\Messenger\msmsgs.exe /background

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 09:50	155648	--a------	C:\WINDOWS\system32\NeroCheck.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGTray]

2007-04-19 21:01	181896	--a------	C:\Program Files\Symantec\Ghost\ngtray.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpAgent]

			C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe /agent

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpScheduler]

			C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15]

			C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

2006-12-11 19:36	366400	--a------	C:\Program Files\Picasa2\PicasaMediaDetector.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]

			c:\toshiba\ivp\ism\pinger.exe /run

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]

			C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

			C:\Program Files\QuickTime\qttask.exe -atboottime

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

			C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]

2005-04-26 19:13	122880	--a------	C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

			C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]

			TFncKy.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]

2004-12-30 03:32	65536	--a------	C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

			

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]

2006-06-01 02:37	196608	--a------	C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe
 

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS

R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys

R2 FdRedir;FdRedir;\??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys

R2 FileDisk2;FileDisk Protector Kernel Driver;\??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys

R2 smihlp;SMI helper driver;\??\C:\Program Files\Protector Suite QL\smihlp.sys

R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys

S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys

S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\LaunchU3.exe -a
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\LaunchU3.exe
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46c35522-aafb-11db-9a7e-00038a000015}]

\Shell\AutoRun\command - G:\LaunchU3.exe -a
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{658a3334-9337-11dc-9b50-00038a000015}]

\Shell\AutoRun\command - H:\LaunchU3.exe -a
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd4cfb3d-1552-11db-99c9-00038a000015}]

\Shell\AutoRun\command - E:\LaunchU3.exe
 

.

Contents of the 'Scheduled Tasks' folder

"2007-11-26 19:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

"2006-06-19 16:37:48 C:\WINDOWS\Tasks\Registration reminder 1.job"

- C:\WINDOWS\system32\OOBE\oobebaln.exe

"2006-06-19 16:37:49 C:\WINDOWS\Tasks\Registration reminder 2.job"

- C:\WINDOWS\system32\OOBE\oobebaln.exe

.

**************************************************************************
 

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-02 23:51:26

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully 

hidden files: 0 
 

**************************************************************************

.

Completion time: 2007-12-02 23:56:44 - machine was rebooted

.

	--- E O F ---

Open in new window

0
 

Author Comment

by:cpsimon
Comment Utility
Help.  See comment above
0
 
LVL 5

Expert Comment

by:ina_don
Comment Utility
Hi there!? how proficient are you with computers? The quickest way out of these troublesome infections is if you can create a BartPE[http://www.nu2.nu/pebuilder/] or any of the available bootable CDs (online) which allow you to add virus removal and spyware removal tools. That way, the spyware or antivirus will not be running when you attempt to clean the machine and presents less trouble. The things that you might want to add to the BartPE CD for your purposes are the superdat for McAfee and Adaware spyware remover.

Also use the file browser to remove any autorun.* files from your c: drive and if the registry is not cleaned use the remote registry tool to load your PC's registry to clear the registry locations as advised on the Norton/Symantec website.

If you need more help let me know.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 200 total points
Comment Utility
Thanks for the logfile, sorry it's not always easy to upload files at EE-Stuff.com, yes you do need to put the link to your question.
Anyway, it's easier attaching the log as code snippet.


I can't see smitfraud or any obvioius nasties showing in the combofix log unless I missed them. Other experts might see what I missed.


You might like to try free SUPERAntispyware, it also removes zlob trojans.

1.  Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the "check for updates" button.
Once the update is finished, close SuperAntispyware again, and boot to Safe Mode to scan your pc.


* In Safe Mode, Start Superantispyware.
Click the "scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.


2.  Another scanner you could also try.
Download and install DrWebCureit to your desktop.
(either links)
http://download.drweb.com/drweb+cureit/
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
The only thing I see is this...
C:\WINDOWS\system32\drivers\lvuvc.hs

Not sure what it is. Have seen many experts fix it without harm. You could try renaming it. Just change the file extension to something like .old or something. Very strange looking for a driver file anyway?

I would definitely concur with rpg on running both those scanners also. Good luck,
Dave
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
C:\WINDOWS\system32\drivers\lvuvc.hs
yes, a lot of experts are deleting that file but I can't find any info on it.
It also looks like it might belong to logitech.

Try rightclicking on that file and check the info on the properties.
or have it scanned at http://virusscan.jotti.org/
or just rename that file/adding a different extension to disable its function, you could always revert it back.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:cpsimon
Comment Utility
Thanks. I will try everything you suggest.  It is very weird.  I see the files qsp extensions in the temp files.  Norton and Spysweeper quarantine them. When I boot in normal mode, it starts all over again and it just goes on and on.  
I looked at the registry and checked the run, run once, service, nothing is there.  There are no keys which Norton or other sites have suggested.  Norton identifies it as the trojan. zlob.  However, spy sweeper refers to it as trojan. downloader banloader,  I delete everything in safemode.   I get no notices from either Norton or Spysweeper.
I do have two logitech devices on my computer. I will check the file you suggest.
I really appreciate your help.
0
 
LVL 5

Assisted Solution

by:ina_don
ina_don earned 200 total points
Comment Utility
Have you tried my suggestions cpsimon? Scanning a dormant hard drive is the best way to get rid of viruses and spyware fast. Unless its loading from the registry when you don't know the location but if you get that Bootable CD done together with the latest McAfee it should find it and delete it... And besides that will be your quick way to issue resolution for the foreseeable future when it comes to nasties like that.

But if you are unable to do that, one point you need to know is that you might have some of those files either remaining in quarantine or in system restore. Clear out the quarantine on both your scanning products and disable the system restore to clear out all those issues. Run the virus scan again after following all that other advice too...
0
 
LVL 5

Expert Comment

by:ina_don
Comment Utility
That worked for someone it seems so have a look at it

http://www.computing.net/security/wwwboard/forum/18242.html
0
 

Author Comment

by:cpsimon
Comment Utility
Hi,
I am away for the next couple of days.  I have not done Bart's PE disk.  I have it, I will add the updated McAffee dat and Adaware dat to the CD.   Norton was useless. I checked my registry with Norton's suggestions.  There was nothing in my registry that Norton had mentioned.  There is some file that creates bogus files which triggers SpySweeper and Norton alerts and quarantine messages when Windows is booted in normal mode . I had current Norton anti virus signatures and Spysweeper. I am not sure how the bogus file was permitted on my harddrive.   I tried using HouseCalls online scan. It said it would take 4 days.  I thought that something was wrong for it to take so long.  I did try to run Creit.
I will let you know when I return home if any of the suggestions workl
0
 

Author Comment

by:cpsimon
Comment Utility
Hi
I'm  back.  I read the Norton log.  The file that installed on my computer from the other drive is sysngke.exe.  It was called Trojan downloader. I do not know if this helps. I used HIJACK THIS and found something called catchme.sys. It was in the registry. I already sent you the log from Combo fix.  I thought Hijack This might be better since it found catchme.sys.  I will attatch that log to this email.  I removed icatchme.sys  from the registry . I have run mwav scanner and aft-cleaner.
  Norton can not catch all the infected files. It's like Klez. It writes thousands of bogus files to the temp file which then alerts spysweeper and Norton to notify user every second of the presence of infected files.
I am going to try to do a boot with Bart's PE and try cleaning hard drive from there. nHow do I get the actual updated dat files for Adaware on the CD?  How do I get a antivirus program onto the CD as well?  I will boot with Bart's PE disk.  Also how do I get this CD to recognize a USB port?
Thanks. I really feel since I have all my updates etc.., anti-virus and anti-spam software, I should be able to rescue my computer from this intruder.
Thanks for your support.
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:13:09 PM, on 12/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

C:\Program Files\Symantec\Ghost\ngserver.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

C:\Program Files\Symantec\Ghost\bin\dbserv.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Symantec\Ghost\bin\rteng9.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Protector Suite QL\psqltray.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Norton Ghost\Agent\GhostTray.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\PROGRA~1\SYMANT~1\vptray.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\LaCie\Backup Software\LaCieBackup.exe

C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O4 - HKLM\..\Run: [TDispVol] TDispVol.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"

O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"

O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

O4 - HKLM\..\Run: [USB2Check] "RUNDLL32.EXE" "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ScanSoft OmniPage 16-reminder] "C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"

O4 - HKCU\..\Run: [OpAgent] "OpAgent.exe" /agent

O4 - HKCU\..\Run: [LaCie Backup] "C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe" /background

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ASP.NET State Service (aspnet_state) - VOB Computersysteme GmbH - (no file)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe

O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 

--

End of file - 15231 bytes

Open in new window

0
 
LVL 5

Expert Comment

by:ina_don
Comment Utility
On the pages where you download the addons (cab files) for the BartPE there are instruction on how to go about it. Almost all cabs have instructions on what you need to do to get all the required files to get working.
0
 

Author Comment

by:cpsimon
Comment Utility
Hi,
I am now Trojan free.  To Ina Don: I could not figure out from the Bart PE site how to put on the anti-spyware on the Bart PE CD disk. I somehow wound up at Bart's PE with AVAST. This CD would cost $299.  I have worked on this for so long, I might have bought it if it solved the problem.  However, I did get rid of it.  The first thing I did was disable ms messenger file.  This slowed the reproduction of files down substantiately.  I then noticed a Yahoo program which was installed on the same day the computer got infected. I removed this program and wild Tangent program which I did not remembering installing. I used all the tools that you and rpggamergirl advised.  Although neither was the exact solution, your help was invaluable.  I had more than just the trojan zlob.  I thought I would split the points between you.
0
 

Author Closing Comment

by:cpsimon
Comment Utility
Thank you all for your suggestions.  This was really an awful Trojan, but with all your suggestions, I was able to figure out what might help.  It took a while, but I have a clean computer.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
A lot of legit programs like Yahoo and MSN messenger comes with unnecessary addins and sponsors. Any IM specially MSN can also be an easy source of viruses.
I reinstalled my yahoo IM recently and I couldn't even opt out the installations of toolbars and other addins that came with it.

You did a good job troubleshooting and cleaning the pc.
Thanks for the points!

Merry Christmas!
0
 
LVL 5

Expert Comment

by:ina_don
Comment Utility
Glad to know that you are sorted out. Sorry the procedure might have been complicated for you to get the software into the BartPE CD.

All the same when you have time look it up and see if you can get it working. I do support all the time and having BartPE cd comes in handy when trying to clear up stuff that is self-loading and still has a way of creeping into native safe-mode windows boot. Its very good.

Happy new year if your years starts next week!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now