?
Solved

How to remove trojan.ZOB from computer

Posted on 2007-12-02
19
Medium Priority
?
2,022 Views
Last Modified: 2013-11-22
I did something very stupid. I thought my Toshiba laptop was protected. It has XP home and 2 GB of RAM. It has all updated Norton virus protection and SpySweeper. I had the no so bright idea of attaching an infected harddrive via a USB cable in an enclosure to clean thishard drive and then put it back into another computer fro m whence it came.  Unfortunately, there must be some undectable exe file which generates infected zob files which is now on my laptop.  My virus protection catches them, but it is almost like a DOS attack because the messages of detection and capture are continual and I cannot use the computer.   I have scanned it twice with Norton and Spysweeper. They catch the files, but not the exe file that seems to be generating them.  I took my laptop off the network and disabled file recovery.  Norton just says to run a Norton scan . That really is not good enough.  I went into the registry and could not find anything that I recognized as suspcious.  Help!!
0
Comment
Question by:cpsimon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
  • +2
19 Comments
 
LVL 4

Expert Comment

by:scottdorsey
ID: 20391903
If you read what Norton says it also tells you how to remove it from the registry which will be enough to stop it working.

3 things to try:

1) Windows system restore if it's turned on.

2) Removal tool:

http://www.zlob-removal.com.removal-instructions.com/removezlob.html

3) Manual removal:

http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99

0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 400 total points
ID: 20392014
Sounds like Smitfraud to me.

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Also, when done running this tool it would be advised to clean up temp files, cookies, ect... and to run a spyware scan. AVG is my tool of choice and is free for 30 days. NOTE: After updating it I would recommend running the scan in Safe Mode.

Use ATFCleaner to clean up temp files, ect...
http://www.atribune.org/ccount/click.php?id=1

AVG AS link:
http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=asf

 

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20392417
If problem persists, also run Combofix.

Download ComboFix to your Desktop, from either of these locations:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Upload the log at EE-Stuff.com  or attach as code snippet for us to check please.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:cpsimon
ID: 20393854
I have spent the entire day trying to get rid of this.  Norton is useless. It detects the files after they have been written to the Temp file and then deletes them. It does not block them from getting on.  I have run AVG, Norton and spysweeper.  I also did it in safemode.  SMitfraudfixit.exe did not fix it.  I have now run Combofix and uploaded the log file to EE-stuff.  I do not know how to put my name on it.  There was no question ID. It was a log.txt file. How will you know it pertains to my question? I have therefore, attached as code snippet.  When I am in safemode, I just delete the files in temp, and quarantine in both spysweeper and Norton.  It does not create any new files until I go into normal mode.  Please help. Thanks.
ComboFix 07-12-02.7 - Claudia 2007-12-02 23:25:00.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.431 [GMT -5:00]
Running from: C:\Documents and Settings\Claudia\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((   Files Created from 2007-11-03 to 2007-12-03  )))))))))))))))))))))))))))))))
.
 
2007-12-02 20:08 . 2007-12-02 20:09	7,102	--a------	C:\WINDOWS\system32\tmp.reg
2007-12-02 19:42 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2007-12-02 19:42 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2007-12-02 19:42 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2007-12-02 19:42 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2007-12-02 19:42 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2007-12-02 18:44 . 2007-12-02 18:44	2	--a------	C:\WINDOWS\msoffice.ini
2007-12-02 18:34 . 2007-12-02 19:33	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\U3
2007-12-02 18:26 . 2007-12-02 18:26	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-02 17:59 . 2007-12-02 17:59	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\Grisoft
2007-12-02 17:56 . 2007-05-30 07:10	10,872	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-02 17:55 . 2007-12-02 17:55	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-02 16:51 . 2007-12-02 16:51	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Webroot
2007-12-02 16:41 . 2007-12-02 16:41	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Zeon
2007-12-02 16:30 . 2007-12-02 16:30	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\Ipswitch
2007-11-30 12:28 . 2007-11-30 12:28	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-11-30 12:28 . 2007-11-30 12:28	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\Yahoo!
2007-11-30 12:28 . 2007-11-30 12:28	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-30 12:20 . 2007-11-30 12:20	<DIR>	d--------	C:\Program Files\Common Files\Scanner
2007-11-30 12:20 . 2007-11-30 12:20	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\Logitech
2007-11-30 12:19 . 2007-11-30 12:19	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-11-30 12:18 . 2007-11-30 12:18	0	--ah-----	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-30 12:16 . 2007-04-11 15:33	1,419,024	--a------	C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-11-30 12:16 . 2007-04-11 15:32	56,080	--a------	C:\WINDOWS\KHALMNPR.Exe
2007-11-30 12:16 . 2007-04-11 15:32	36,112	--a------	C:\WINDOWS\system32\drivers\LMouFilt.Sys
2007-11-30 12:16 . 2007-04-11 15:32	34,832	--a------	C:\WINDOWS\system32\drivers\LHidFilt.Sys
2007-11-30 12:15 . 2007-04-23 04:00	163,840	--a------	C:\WINDOWS\system32\kemutb.dll
2007-11-30 12:15 . 2007-04-23 04:00	135,168	--a------	C:\WINDOWS\system32\KemUtil.dll
2007-11-30 12:15 . 2007-04-23 04:00	110,592	--a------	C:\WINDOWS\system32\KemWnd.dll
2007-11-30 12:15 . 2007-04-23 04:00	69,632	--a------	C:\WINDOWS\system32\KemXML.dll
2007-11-28 23:53 . 2007-11-29 00:42	36,352	--a------	C:\joleeA 10.doc
2007-11-22 01:32 . 2007-10-11 20:57	195,096	--a------	C:\WINDOWS\system32\lvci1150.dll
2007-11-22 01:31 . 2007-10-11 21:00	41,752	--a------	C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-11-22 01:31 . 2007-11-29 21:21	0	--a------	C:\WINDOWS\system32\drivers\logiflt.iad
2007-11-22 01:18 . 2007-12-02 17:54	<DIR>	d--------	C:\Documents and Settings\Claudia\Application Data\skypePM
2007-11-22 01:18 . 2007-11-22 01:18	32	--a------	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-22 01:16 . 2007-11-22 01:16	<DIR>	d--------	C:\Program Files\Common Files\Skype
2007-11-20 01:47 . 2007-11-20 01:47	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2007-11-20 01:47 . 2007-11-20 01:47	1,409	--a------	C:\WINDOWS\QTFont.for
2007-11-11 22:28 . 2001-08-10 07:00	1,262,956	---------	C:\WINDOWS\system32\XMNT2001.EXE
2007-11-11 22:27 . 2007-11-11 22:40	<DIR>	d--------	C:\Program Files\PowerQuest
2007-11-11 10:31 . 2007-11-11 10:38	<DIR>	d--------	C:\Symantec Ghost Installer
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 04:48	---------	d-----w	C:\Program Files\Symantec AntiVirus
2007-12-03 04:33	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\Skype
2007-12-03 00:36	---------	d-----w	C:\Program Files\Pure Networks
2007-12-03 00:36	---------	d-----w	C:\Program Files\Common Files\AOL
2007-12-02 23:46	---------	d-----w	C:\Program Files\Toshiba Games
2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\Mickey\Application Data\AOL
2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\AOL
2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\All Users\Application Data\AOL
2007-12-02 23:45	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\AOL
2007-11-30 17:20	---------	d-----w	C:\Program Files\Yahoo!
2007-11-30 17:16	---------	d-----w	C:\Program Files\Common Files\Logitech
2007-11-30 17:15	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-11-30 17:15	---------	d-----w	C:\Program Files\Logitech
2007-11-30 17:15	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Logitech
2007-11-30 02:21	0	----a-w	C:\WINDOWS\system32\drivers\lvuvc.hs
2007-11-26 07:18	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\U3
2007-11-22 06:33	---------	d-----w	C:\Program Files\Common Files\LogiShrd
2007-11-22 06:27	---------	d-----w	C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-11-22 06:16	---------	d-----w	C:\Program Files\Skype
2007-11-22 06:16	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Skype
2007-11-20 01:14	---------	d-----w	C:\Program Files\Palm
2007-11-15 07:16	---------	d-----w	C:\Program Files\Mozilla Thunderbird
2007-11-11 16:04	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2007-11-11 16:01	---------	d-----w	C:\Program Files\Symantec
2007-11-11 16:01	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-29 18:15	---------	d-----w	C:\Program Files\MSECache
2007-10-28 18:19	---------	d-----w	C:\Program Files\Filao
2007-10-25 19:44	3,034	----a-w	C:\Documents and Settings\Claudia\Application Data\SAS7_000.DAT
2007-10-23 03:28	164	----a-w	C:\install.dat
2007-10-19 18:16	2,109,976	----a-w	C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-16 01:43	---------	d-----w	C:\Documents and Settings\All Users\Application Data\ScanSoft
2007-10-16 01:39	---------	d-----w	C:\Documents and Settings\Claudia\Application Data\ScanSoft
2007-10-12 02:01	23,832	----a-w	C:\WINDOWS\system32\drivers\lvuvcflt.sys
2007-10-12 02:00	3,647,384	----a-w	C:\WINDOWS\system32\drivers\lvuvc.sys
2007-10-12 01:59	1,920,920	----a-w	C:\WINDOWS\system32\drivers\lvpopflt.sys
2007-10-11 23:59	25,624	----a-w	C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-11 23:59	2,142,488	----a-w	C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-11 12:25	---------	d-----w	C:\Program Files\PAL
2007-10-07 23:31	---------	d-----w	C:\Program Files\Microsoft Works
2007-10-07 23:31	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-01 20:40	1,526,072	----a-w	C:\WINDOWS\WRSetup.dll
2007-06-22 20:32	563,712	----a-w	C:\Documents and Settings\Claudia\gotomypc_370.exe
2002-07-26 22:02	153,088	----a-w	C:\Program Files\UNWISE.EXE
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-11-12 15:48]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-07-31 22:23]
"LogitechSetup"="D:\setup.exe" []
"OpAgent"="OpAgent.exe" []
"LaCie Backup"="C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe" [2006-01-24 08:55]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" []
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TDispVol"="TDispVol.exe" [2005-03-11 18:03 C:\WINDOWS\system32\TDispVol.exe]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-11-28 00:55]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-11-28 00:52]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-11-28 00:55]
"PSQLLauncher"="C:\Program Files\Protector Suite QL\launcher.exe" [2005-12-22 00:29]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 16:56]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 17:02]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 03:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 03:32]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-18 06:37]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 09:29 C:\WINDOWS\agrsmmsg.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 15:25]
"TPSMain"="TPSMain.exe" [2005-06-01 00:00 C:\WINDOWS\system32\TPSMain.exe]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" []
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 14:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 13:41]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 15:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 15:15]
"PDF4 Registry Controller"="C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" [2006-08-22 18:09]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2007-04-10 11:01]
"USB2Check"="RUNDLL32.exe" [2004-08-10 07:00 C:\WINDOWS\system32\rundll32.exe]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 00:26]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"ScanSoft OmniPage 16-reminder"="C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" [2007-07-20 08:50]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-11 12:01]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-11 11:58]
"PPort11reminder"="C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2006-11-16 10:01]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2006-06-15 01:40]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 15:40]
 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-09 19:36:06]
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2007-02-01 23:01:13]
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 14:27:34]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-07-31 22:23:37]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-30 12:15:48]
Metamail Trust Manager.lnk - C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe [2006-03-09 22:23:11]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
psqlpwd.dll 2005-12-22 00:42 40448 C:\WINDOWS\system32\psqlpwd.dll
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^OZ-290_ZQ-290II Synchronization Software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OZ-290_ZQ-290II Synchronization Software.lnk
backup=C:\WINDOWS\pss\OZ-290_ZQ-290II Synchronization Software.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
			CFSServ.exe -NoClient
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2005-10-06 08:20	122940	--a------	C:\WINDOWS\system32\dla\DLACTRLW.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DNS7reminder]
			C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe -r C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
			C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-05-26 11:45	257088	--a------	C:\Program Files\iTunes\iTunesHelper.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
			KHALMNPR.EXE
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
			C:\Program Files\Logitech\Video\CameraAssistant.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
			C:\Program Files\Messenger\msmsgs.exe /background
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50	155648	--a------	C:\WINDOWS\system32\NeroCheck.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NGTray]
2007-04-19 21:01	181896	--a------	C:\Program Files\Symantec\Ghost\ngtray.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpAgent]
			C:\Program Files\ScanSoft\OmniPage15.0\OpAgent.exe /agent
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpScheduler]
			C:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware15]
			C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2006-12-11 19:36	366400	--a------	C:\Program Files\Picasa2\PicasaMediaDetector.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
			c:\toshiba\ivp\ism\pinger.exe /run
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
			C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
			C:\Program Files\QuickTime\qttask.exe -atboottime
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
			C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-26 19:13	122880	--a------	C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
			C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
			TFncKy.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2004-12-30 03:32	65536	--a------	C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
2006-06-01 02:37	196608	--a------	C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe
 
R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys
R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R2 FdRedir;FdRedir;\??\C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
R2 FileDisk2;FileDisk Protector Kernel Driver;\??\C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
R2 smihlp;SMI helper driver;\??\C:\Program Files\Protector Suite QL\smihlp.sys
R3 TcUsb;TC USB Kernel Driver;C:\WINDOWS\system32\Drivers\tcusb.sys
S3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46c35522-aafb-11db-9a7e-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{658a3334-9337-11dc-9b50-00038a000015}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd4cfb3d-1552-11db-99c9-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe
 
.
Contents of the 'Scheduled Tasks' folder
"2007-11-26 19:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-06-19 16:37:48 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2006-06-19 16:37:49 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************
 
catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 23:51:26
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully 
hidden files: 0 
 
**************************************************************************
.
Completion time: 2007-12-02 23:56:44 - machine was rebooted
.
	--- E O F ---

Open in new window

0
 

Author Comment

by:cpsimon
ID: 20393861
Help.  See comment above
0
 
LVL 5

Expert Comment

by:ina_don
ID: 20401336
Hi there!? how proficient are you with computers? The quickest way out of these troublesome infections is if you can create a BartPE[http://www.nu2.nu/pebuilder/] or any of the available bootable CDs (online) which allow you to add virus removal and spyware removal tools. That way, the spyware or antivirus will not be running when you attempt to clean the machine and presents less trouble. The things that you might want to add to the BartPE CD for your purposes are the superdat for McAfee and Adaware spyware remover.

Also use the file browser to remove any autorun.* files from your c: drive and if the registry is not cleaned use the remote registry tool to load your PC's registry to clear the registry locations as advised on the Norton/Symantec website.

If you need more help let me know.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 800 total points
ID: 20402141
Thanks for the logfile, sorry it's not always easy to upload files at EE-Stuff.com, yes you do need to put the link to your question.
Anyway, it's easier attaching the log as code snippet.


I can't see smitfraud or any obvioius nasties showing in the combofix log unless I missed them. Other experts might see what I missed.


You might like to try free SUPERAntispyware, it also removes zlob trojans.

1.  Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the "check for updates" button.
Once the update is finished, close SuperAntispyware again, and boot to Safe Mode to scan your pc.


* In Safe Mode, Start Superantispyware.
Click the "scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a text file will appear.


2.  Another scanner you could also try.
Download and install DrWebCureit to your desktop.
(either links)
http://download.drweb.com/drweb+cureit/
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 20402724
The only thing I see is this...
C:\WINDOWS\system32\drivers\lvuvc.hs

Not sure what it is. Have seen many experts fix it without harm. You could try renaming it. Just change the file extension to something like .old or something. Very strange looking for a driver file anyway?

I would definitely concur with rpg on running both those scanners also. Good luck,
Dave
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20417338
C:\WINDOWS\system32\drivers\lvuvc.hs
yes, a lot of experts are deleting that file but I can't find any info on it.
It also looks like it might belong to logitech.

Try rightclicking on that file and check the info on the properties.
or have it scanned at http://virusscan.jotti.org/
or just rename that file/adding a different extension to disable its function, you could always revert it back.
0
 

Author Comment

by:cpsimon
ID: 20418356
Thanks. I will try everything you suggest.  It is very weird.  I see the files qsp extensions in the temp files.  Norton and Spysweeper quarantine them. When I boot in normal mode, it starts all over again and it just goes on and on.  
I looked at the registry and checked the run, run once, service, nothing is there.  There are no keys which Norton or other sites have suggested.  Norton identifies it as the trojan. zlob.  However, spy sweeper refers to it as trojan. downloader banloader,  I delete everything in safemode.   I get no notices from either Norton or Spysweeper.
I do have two logitech devices on my computer. I will check the file you suggest.
I really appreciate your help.
0
 
LVL 5

Assisted Solution

by:ina_don
ina_don earned 800 total points
ID: 20419617
Have you tried my suggestions cpsimon? Scanning a dormant hard drive is the best way to get rid of viruses and spyware fast. Unless its loading from the registry when you don't know the location but if you get that Bootable CD done together with the latest McAfee it should find it and delete it... And besides that will be your quick way to issue resolution for the foreseeable future when it comes to nasties like that.

But if you are unable to do that, one point you need to know is that you might have some of those files either remaining in quarantine or in system restore. Clear out the quarantine on both your scanning products and disable the system restore to clear out all those issues. Run the virus scan again after following all that other advice too...
0
 
LVL 5

Expert Comment

by:ina_don
ID: 20419916
That worked for someone it seems so have a look at it

http://www.computing.net/security/wwwboard/forum/18242.html
0
 

Author Comment

by:cpsimon
ID: 20433188
Hi,
I am away for the next couple of days.  I have not done Bart's PE disk.  I have it, I will add the updated McAffee dat and Adaware dat to the CD.   Norton was useless. I checked my registry with Norton's suggestions.  There was nothing in my registry that Norton had mentioned.  There is some file that creates bogus files which triggers SpySweeper and Norton alerts and quarantine messages when Windows is booted in normal mode . I had current Norton anti virus signatures and Spysweeper. I am not sure how the bogus file was permitted on my harddrive.   I tried using HouseCalls online scan. It said it would take 4 days.  I thought that something was wrong for it to take so long.  I did try to run Creit.
I will let you know when I return home if any of the suggestions workl
0
 

Author Comment

by:cpsimon
ID: 20479562
Hi
I'm  back.  I read the Norton log.  The file that installed on my computer from the other drive is sysngke.exe.  It was called Trojan downloader. I do not know if this helps. I used HIJACK THIS and found something called catchme.sys. It was in the registry. I already sent you the log from Combo fix.  I thought Hijack This might be better since it found catchme.sys.  I will attatch that log to this email.  I removed icatchme.sys  from the registry . I have run mwav scanner and aft-cleaner.
  Norton can not catch all the infected files. It's like Klez. It writes thousands of bogus files to the temp file which then alerts spysweeper and Norton to notify user every second of the presence of infected files.
I am going to try to do a boot with Bart's PE and try cleaning hard drive from there. nHow do I get the actual updated dat files for Adaware on the CD?  How do I get a antivirus program onto the CD as well?  I will boot with Bart's PE disk.  Also how do I get this CD to recognize a USB port?
Thanks. I really feel since I have all my updates etc.., anti-virus and anti-spam software, I should be able to rescue my computer from this intruder.
Thanks for your support.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:09 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\LaCie\Backup Software\LaCieBackup.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\PROGRA~1\METAMA~1\METAMA~1\METAMA~2.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gate.temple.edu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [THotkey] "C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] "C:\Program Files\Toshiba\Tvs\TvsTray.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDF4 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [USB2Check] "RUNDLL32.EXE" "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ScanSoft OmniPage 16-reminder] "C:\Program Files\ScanSoft\OmniPage16\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPage 16\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [OpAgent] "OpAgent.exe" /agent
O4 - HKCU\..\Run: [LaCie Backup] "C:\Program Files\LaCie\Backup Software\\LaCieBackup.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Metamail Trust Manager.lnk = C:\Program Files\Metamail Inc\Metamail Tray\Metamail Trust Manager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASP.NET State Service (aspnet_state) - VOB Computersysteme GmbH - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Symantec Ghost Database Service Wrapper (NGDBSERV) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGSERVER) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngserver.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
--
End of file - 15231 bytes

Open in new window

0
 
LVL 5

Expert Comment

by:ina_don
ID: 20499184
On the pages where you download the addons (cab files) for the BartPE there are instruction on how to go about it. Almost all cabs have instructions on what you need to do to get all the required files to get working.
0
 

Author Comment

by:cpsimon
ID: 20526035
Hi,
I am now Trojan free.  To Ina Don: I could not figure out from the Bart PE site how to put on the anti-spyware on the Bart PE CD disk. I somehow wound up at Bart's PE with AVAST. This CD would cost $299.  I have worked on this for so long, I might have bought it if it solved the problem.  However, I did get rid of it.  The first thing I did was disable ms messenger file.  This slowed the reproduction of files down substantiately.  I then noticed a Yahoo program which was installed on the same day the computer got infected. I removed this program and wild Tangent program which I did not remembering installing. I used all the tools that you and rpggamergirl advised.  Although neither was the exact solution, your help was invaluable.  I had more than just the trojan zlob.  I thought I would split the points between you.
0
 

Author Closing Comment

by:cpsimon
ID: 31412210
Thank you all for your suggestions.  This was really an awful Trojan, but with all your suggestions, I was able to figure out what might help.  It took a while, but I have a clean computer.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 20526171
A lot of legit programs like Yahoo and MSN messenger comes with unnecessary addins and sponsors. Any IM specially MSN can also be an easy source of viruses.
I reinstalled my yahoo IM recently and I couldn't even opt out the installations of toolbars and other addins that came with it.

You did a good job troubleshooting and cleaning the pc.
Thanks for the points!

Merry Christmas!
0
 
LVL 5

Expert Comment

by:ina_don
ID: 20549111
Glad to know that you are sorted out. Sorry the procedure might have been complicated for you to get the software into the BartPE CD.

All the same when you have time look it up and see if you can get it working. I do support all the time and having BartPE cd comes in handy when trying to clear up stuff that is self-loading and still has a way of creeping into native safe-mode windows boot. Its very good.

Happy new year if your years starts next week!
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses
Course of the Month9 days, 17 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question