punktum
2010-04-06, 06:29
Hello there, yesterday I scanned my computer with spybot s&d and I came up with a result called win32.zbot.rtk.
(Both SUPERantispyware and malwarebytes didn't find the trojan, only spybot.)
Even after repair with and without safe mode it just keeps re-appearing.
I've never had a worm like this infected on my computer and for the first time in my life I need help removing it.
Any help is much appreciated, thank you. :)
I've backed up the registry wit ERUNT and here's the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:22:21, on 06.04.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ROCCAT\Kone Mouse\KoneHID.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Geirr\Programmer\Avast5\AvastUI.exe
C:\Geirr\Programmer\Daemon Tools\DAEMON Tools Lite\DTLite.exe
C:\Program Files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ROCCAT\Kone Mouse\osd.exe
C:\Geirr\Programmer\Mozilla\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dagbladet.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Geirr\Programmer\quicktime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Kone] "C:\Program Files\ROCCAT\Kone Mouse\KoneHID.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] C:\Geirr\PROGRA~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\RunOnce: [SpybotDeletingA5409] command.com /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7893] cmd.exe /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKCU\..\Run: [Steam] "c:\geirr\programmer\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Geirr\Programmer\Daemon Tools\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\RunOnce: [SpybotDeletingB1473] command.com /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5426] cmd.exe /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: TwonkyMedia Manager.lnk = C:\Program Files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Vis eller skjul HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33DFE7A1-E129-46B7-B795-9F8A25A0644C}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{941F0970-44FF-43DF-B9A5-4E9B3C6C4D80}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Geirr\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Geirr\Programmer\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - ALWIL Software - C:\Geirr\Programmer\Avast5\afwServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Geirr\Programmer\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Geirr\Programmer\Avast5\AvastSvc.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Geirr\Spill\Dragon Age Origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Unknown owner - C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Geirr\Programmer\Spybot s&d\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TwonkyMedia - Unknown owner - C:\Program Files\TwonkyMedia\twonkymediaserverwatchdog.exe
--
End of file - 7718 bytes
(Both SUPERantispyware and malwarebytes didn't find the trojan, only spybot.)
Even after repair with and without safe mode it just keeps re-appearing.
I've never had a worm like this infected on my computer and for the first time in my life I need help removing it.
Any help is much appreciated, thank you. :)
I've backed up the registry wit ERUNT and here's the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:22:21, on 06.04.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ROCCAT\Kone Mouse\KoneHID.EXE
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Geirr\Programmer\Avast5\AvastUI.exe
C:\Geirr\Programmer\Daemon Tools\DAEMON Tools Lite\DTLite.exe
C:\Program Files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ROCCAT\Kone Mouse\osd.exe
C:\Geirr\Programmer\Mozilla\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dagbladet.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Geirr\Programmer\quicktime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Kone] "C:\Program Files\ROCCAT\Kone Mouse\KoneHID.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avast5] C:\Geirr\PROGRA~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\RunOnce: [SpybotDeletingA5409] command.com /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7893] cmd.exe /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKCU\..\Run: [Steam] "c:\geirr\programmer\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Geirr\Programmer\Daemon Tools\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\RunOnce: [SpybotDeletingB1473] command.com /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5426] cmd.exe /c del "C:\Windows\System32\msinfo32.exeexeslllllles"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: TwonkyMedia Manager.lnk = C:\Program Files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Vis eller skjul HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33DFE7A1-E129-46B7-B795-9F8A25A0644C}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{941F0970-44FF-43DF-B9A5-4E9B3C6C4D80}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Geirr\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Geirr\Programmer\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - ALWIL Software - C:\Geirr\Programmer\Avast5\afwServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Geirr\Programmer\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Geirr\Programmer\Avast5\AvastSvc.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Geirr\Spill\Dragon Age Origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Unknown owner - C:\Program Files\RALINK\Common\RalinkRegistryWriter.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Geirr\Programmer\Spybot s&d\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TwonkyMedia - Unknown owner - C:\Program Files\TwonkyMedia\twonkymediaserverwatchdog.exe
--
End of file - 7718 bytes