Troj_Zlob.KW & spysheriff + ? [LOGS]
Hi, I've been volunteered to fix a friends computer as they had a few problems with it.
It appears as though they had a desktop hijacker - which pointed IE to www.securitycenter.com, which I believe I have at least partially removed, although not completely.
After seeing this, I ran a pc-cillin scan to discover it suggested that TROJ_ZLOB.ZW was on the pc within a file called mssearchnet.exe in c:\windows\system32\. This I looked up on the trend housecall website, and followed their instructions on removal - which obviously haven't worked.
I have run an online Panda Software Active Scan with the following results:
Incident Status Location
Virus:Trj/Downloader.IHX Disinfected Operating system
Possible Virus. Not disinfected C:\WINDOWS\system32\hp86DE.tmp
Adware:adware/emediacodec Not disinfected C:\WINDOWS\system32\nvctrl.exe
Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\dfrgsrv.exe
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ot.ico
Adware:adware/cws Not disinfected C:\WINDOWS\SYSTEM32\paytime.exe
Adware:adware/secure32 Not disinfected C:\WINDOWS\SYSTEM32\scmt16.exe
Adware:adware/spywarequake Not disinfected C:\WINDOWS\SYSTEM32\stickrep.dll
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\ms1.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.atwola.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Match Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[promo.match.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Bonnie\Application
Cont'd...
Cont'd activescan log + spybot 1.4 results
Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.winfixer.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.overture.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.belnk.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\d3n21s3l.default\cookies.txt[]
Virus:Trj/Downloader.IHX Disinfected C:\Documents and Settings\Bonnie\Local Settings\Temporary Internet Files\Content.IE5\MTF0POFM\wdinit64[1].exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\WINDOWS\country.exe
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\1024\ld3C35.tmp
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\1024\ld8575.tmp
Possible Virus. Not disinfected C:\WINDOWS\system32\hp86DE.tmp
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\scmt16.exe
Dialer:Dialer.GUJ Not disinfected C:\WINDOWS\system32\winjau32.dll
Adware:Adware/SpySheriff Not disinfected C:\WINDOWS\toolbar.exe
Spybot 1.4 had the following results:
TIBS: Executable (File, fixed)
C:\WINDOWS\ms1.exe
Smitfraud-C.: Executable (File, fixed)
C:\WINDOWS\tool1.exe
Smitfraud-C.: Executable (File, fixed)
C:\WINDOWS\tool3.exe
Smitfraud-C.: Executable (File, fixed)
C:\WINDOWS\tool4.exe
Smitfraud-C.: Executable (File, fixed)
C:\WINDOWS\tool5.exe
Smitfraud-C.: Executable (File, fixed)
C:\WINDOWS\system32\paytime.exe
Smitfraud-C.: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\nvctrl.exe
Smitfraud-C.: User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-583907252-1563985344-1343024091-1003\Software\Install\Version
Spy Sheriff: Executable (File, fixed)
C:\WINDOWS\country.exe
Vcodec: Data (File, fixing failed)
C:\WINDOWS\system32\ncompat.tlb
Vcodec: Data (File, fixed)
C:\WINDOWS\system32\ts.ico
Windows.ActiveDesktop: User settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-583907252-1563985344-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper!=W=1
SpywareQuake: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll=...dfrgsrv.exe...
Zlob.Downloader: Executable (File, fixing failed)
C:\WINDOWS\system32\nvctrl.exe
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)
BFast: Tracking cookie (Firefox: default) (Cookie, fixed)
Commission Junction: Tracking cookie (Firefox: default) (Cookie, fixed)
Commission Junction: Tracking cookie (Firefox: default) (Cookie, fixed)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)
HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)
HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)
FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)
HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)
TargetNet: Tracking cookie (Firefox: default) (Cookie, fixed)
Winfixer: Tracking cookie (Firefox: default) (Cookie, fixed)
Winfixer: Tracking cookie (Firefox: default) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-04-11 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-04-07 Includes\Cookies.sbi (*)
2006-04-07 Includes\Dialer.sbi (*)
2006-04-07 Includes\Hijackers.sbi (*)
2006-04-07 Includes\Keyloggers.sbi (*)
2006-04-07 Includes\Malware.sbi (*)
2006-04-07 Includes\PUPS.sbi (*)
2006-04-07 Includes\Revision.sbi (*)
2006-04-07 Includes\Security.sbi (*)
2006-04-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-04-07 Includes\Trojans.sbi (*)
Apologies if that last message sounded rude,
was just meant to be funny, but after re-reading thought I shoud clarify