This is the log that posted in my NOD32

{QUOTE->
Scan performed at: 7/18/2006 10:50:29 AM
Scanning Log
NOD32 version 1.1664 (20060717) NT
Operating memory - is OK

Date: 18.7.2006 Time: 10:50:52
Scanned disks, folders and files: C:; D:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\parent.lock - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\E6BF0D51d01 - Win32/TrojanDropper.Agent.ARV trojan
Scanning interrupted by user!
Number of scanned files: 6200
Number of threats found: 1
Time of completion: 10:52:57 Total scanning time: 125 sec (00:02:05)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

<-QUOTE}

{QUOTE->
Scan performed at: 7/19/2006 11:57:33 AM
Scanning Log
NOD32 version 1.1667 (20060718) NT
Command line: C:\WINDOWS\system32\ishost.exe C:\WINDOWS\system32\ismon.exe
Operating memory - Win32/TrojanDownloader.Zlob.VB trojan

Date: 19.7.2006 Time: 12:00:53
Scanned disks, folders and files: C:\WINDOWS\system32\ishost.exe; C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\ishost.exe - Win32/TrojanDownloader.Zlob.VB trojan - deleted (after the next restart) [2]
C:\WINDOWS\system32\ismon.exe - Win32/TrojanDownloader.Zlob.VB trojan - deleted (after the next restart) [2]
Number of scanned files: 2
Number of threats found: 2
Number of files cleaned: 2
Time of completion: 12:02:13 Total scanning time: 80 sec (00:01:20)

Notes:
[2] File is being used (open or running). System restart is required for the cleaning to complete.

<-QUOTE}

{QUOTE->
C:\pagefile.sys - error opening (File locked) [4]
<-QUOTE}

{QUOTE-> C:\Documents and Settings\Lola Okhrana\ntuser.dat.LOG - error opening (File locked) [4]
<-QUOTE}

Can anyone help me how to clean this trojan from my system?

have u rebooted yet so that nod32 may clean/delete the trojan?

The first log looks like it was just a scan, not a scan & clean - please try this.

After you restarted the PC were the detections in the second log gone?

Third and fourth logs are on their own quite normal.

Cheers :)

how do i properly paste a log of NOF32? is that the rigght way?


Time Module Object Name Threat Action User Information
7/19/2006 11:57:14 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/19/2006 11:57:13 AM AMON file C:\WINDOWS\system32\ismon.exe Win32/TrojanDownloader.Zlob.VB trojan NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\Program Files\ewido anti-spyware 4.0\guard.exe.
7/19/2006 11:57:12 AM AMON file C:\WINDOWS\system32\ishost.exe Win32/TrojanDownloader.Zlob.VB trojan NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\Program Files\ewido anti-spyware 4.0\guard.exe.
7/19/2006 11:55:38 AM Kernel file C:\WINDOWS\system32\ismon.exe Win32/TrojanDownloader.Zlob.VB trojan Alert was generated during the system startup file check.
7/19/2006 11:55:14 AM Kernel file C:\WINDOWS\system32\ishost.exe Win32/TrojanDownloader.Zlob.VB trojan Alert was generated during the system startup file check.
7/18/2006 23:52:50 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 23:27:45 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 23:02:42 PM AMON file C:\WINDOWS\system32\components\flx2.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:37:41 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:37:39 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:12:38 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:12:36 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 21:47:31 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 21:47:30 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 14:16:53 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 14:16:52 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:59:46 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:59:44 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:49:08 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:48:23 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:25:44 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:25:42 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:56:09 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:56:08 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:31:11 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:31:08 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:12:26 PM AMON file C:\Documents and Settings\Lola Okhrana\Local Settings\Temporary Internet Files\Content.IE5\4LMRS5A3\l11[1].exe probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\IEXPLORE.EXE. The file was moved to quarantine. You may close this window.
7/18/2006 12:06:06 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:06:05 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:58:21 AM AMON file C:\windows\system32\components\flx5.dll Win32/Hoax.Renos.DW application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
7/18/2006 11:58:19 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:58:16 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:01:04 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:01:03 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:46:01 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:36:09 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:02:13 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:02:12 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 9:37:31 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 9:37:28 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 9:35:16 AM AMON file C:\WINDOWS\system32\issearch.exe probably a variant of Win32/TrojanDownloader.Zlob.VA trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
7/18/2006 0:42:50 AM Kernel file C:\WINDOWS\system32\issearch.exe probably a variant of Win32/TrojanDownloader.Zlob.VA trojan
7/17/2006 22:55:21 PM AMON file C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\jd30sehy.exe a variant of Win32/Dialer.DialHub application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
7/17/2006 22:55:19 PM AMON file C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\F498AD79d01 a variant of Win32/Dialer.DialHub application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
7/17/2006 22:51:45 PM AMON file C:\WINDOWS\system32\pmnqguh.dll Win32/Hoax.Renos application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\components\flx5.dll. The file was moved to quarantine. You may close this window.
7/17/2006 22:49:26 PM AMON file C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\mshtml2.exe Win32/TrojanDownloader.PurityScan.BV trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\OA.exe. The file was moved to quarantine. You may close this window.
6/24/2006 22:37:34 PM AMON file C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\1cfjb76u.exe a variant of Win32/TrojanDownloader.IstBar trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE. The file was moved to quarantine. You may close this window.
6/24/2006 22:37:32 PM AMON file C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\390E18F6d01 a variant of Win32/TrojanDownloader.IstBar trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE. The file was moved to quarantine. You may close this window.
6/24/2006 22:37:27 PM IMON file hxxp://www.binarity.com/ysbinstall_1002755_3.exe a variant of Win32/TrojanDownloader.IstBar trojan SLAPSHOCK\Lola Okhrana

{QUOTE-> how do i properly paste a log of NOF32? is that the rigght way? <-QUOTE}This newer log shows all the times that NOD32 has prevented infiltrations for you...
Some of the entries are there from when ewido and other have attempted to check a file and NOD32 has checked it first on access...

ok this is my log


Scan performed at: 7/19/2006 12:41:45 PM
Scanning Log
NOD32 version 1.1667 (20060718) NT
Command line: C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+
Operating memory - is OK

Date: 19.7.2006 Time: 12:41:51
Scanned disks, folders and files: C:\
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar.zip »ZIP »nsv48.tmp - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar1.zip »ZIP »nsv47.tmp - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar1.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\parent.lock - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\4906828Dd01 »ZIP »smitRem/Process.exe - Win32/PrcView application - was a part of the deleted object
C:\Documents and Settings\Lola Okhrana\Local Settings\Temp\8jv8op36.zip »ZIP »Rempit....avi - archive damaged
C:\Documents and Settings\Lola Okhrana\Local Settings\Temp\hsperfdata_Lola Okhrana\4788 - error opening (Access denied) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Temp\_PegEx~1\Program Files\TCPMP\language.tgz »GZ »language.tar »TAR - archive damaged
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Program Files\BitComet\fav\search_el_gr.mht »MIME - error occurred while reading archive
C:\Program Files\MySQL\MySQL Server 5.0\Docs\manual.chm »CHM »::DataSpace/Storage/MSCompressed/Content - error occurred while reading archive
C:\Program Files\Roguescanfix\Process.exe - Win32/PrcView application - Error quarantining the object - - unable to clean - deleted
C:\WINDOWS\SoftwareDistribution\EventCache\{623A84EF-B288-4D5A-89B4-FA89E151315F}.bin - error opening (File locked) [4]
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\dtscsi.sys - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\sptd.sys - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\sptd1853.sys - error opening (File locked) [4]
Number of scanned files: 285383
Number of threats found: 2
Number of files cleaned: 2
Time of completion: 13:08:38 Total scanning time: 1607 sec (00:26:47)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.



how do i know my trojan.zlob.zb is leaned frm my system?

ewido software doest detect anything

ewido is not detecting anything because NOD32 is preventing anything from accessing the detected files.

Please scroll up a bit to posts #2, #3 and #5 and let us know how you go after that...
...or if post#6 is after you have rebooted your PC already then it should now be just fine :)

Cheers :)

done.

if nod32 doesnt led anything access..so whats the use of ewido to me now?

{QUOTE-> done.

if nod32 doesnt led anything access..so whats the use of ewido to me now? <-QUOTE}Many people use multiple on-deman scanners (but only one real-time AV) - one acts as a double check for the other since none are perfect on their own.
If you wish to use ewido to double check your system I would suggest the following


Run a full scan and clean with NOD32 like post#6
Scan and clean with ewido or whatever other trusted application you choose to use


That is really all that is necessary since after having first run a full scan anything NOD32 would prevent access to because of detection should already be gone anyway...

Also, you may wish to verify that some registry cleaner hasn't removed the entry for the NOD32 Quarantine folder - if it has I'd suggest restoring it.

Cheers :)

{QUOTE->
Also, you may wish to verify that some registry cleaner hasn't removed the entry for the NOD32 Quarantine folder - if it has I'd suggest restoring it.

Cheers :) <-QUOTE}

thanks for the reply

anyway, how do i done that im using registry mechanic

Not entirely familiar with registry mechanic, but you should be able to restore it as follows:-

Open the NOD32 Control Center
in the left side, navigate to 'NOD32 System Tools' --> 'NOD32 System Setup'
in the right side click 'Setup' and enter your settings password if you have one
click on the 'Advanced' tab
notice the Quarantine section at the bottom
if you have not already changed it in the past, it should say 'C:\Program Files\Eset\infected' otherwise fill it in now.
click OK
in the left side, navigate to 'NOD32 System Tools' --> 'Quarantine'
use 'Add' to move a file to the quarantine folder to check (some file you don't need - a blank text file you have created on you desktop?)
The file you just added should appear at the top of the Quarantined list


Cheers :)

where can i get passowrd and username for nod32

You can buy a username and password (licence) for NOD32 from pretty much any reseller worldwide, but unless there was a special reason I would suggest your local reseller...

What part of the world are you in?

im in singapore.

anyway, when i opened my internet explorer, it direct me to www,sysprotectionpage.net (if im nt wrong)

and also is it safe to remove

HKLM\SOFTWARE\Microsoft\Windows\CurrentWindows\policies\explorer\run\\kernel32.dll Which Infected wit Trojan.Small

and

C:\Windows\System32\isnotify.exe which infected with Downloader.Zlob.zd

can i remove both of this file which is in my quarantine now?

Singapore - you should be able to find a local reseller that pleases you -->HERE (http://www.nod32.com.sg/purchase/location.php)<--

Yes - clean out your quarantine any time you choose.

Cheers :)

{QUOTE-> im in singapore.

anyway, when i opened my internet explorer, it direct me to www,sysprotectionpage.net (if im nt wrong)

and also is it safe to remove

HKLM\SOFTWARE\Microsoft\Windows\CurrentWindows\policies\explorer\run\\kernel32.dll Which Infected wit Trojan.Small

and

C:\Windows\System32\isnotify.exe which infected with Downloader.Zlob.zd

can i remove both of this file which is in my quarantine now? <-QUOTE}


Please , check your Private Messages ! ;D :thumb:

my internet explorer still redirects me to www,sysprotectionpage.net , no matter how many thousand times i sca with ewido or nod32. not that i also use software like

HijackThuis
SmitFraud
UnDLL for NOD32
FixReg.req
SmitREm
bla bla bla....

and also online scan...panda software..

but my IE still redirects me to www,sysprotectionpage.net

and also in my C:\ theres alot of sqmdata0x
*x = number

pls pls help.im begging.

Hello sLapshock,

As I have noted in 2 of your posts I have edited....that clickable link is a known CWS.VCodec group of badware folks. If you don't mind....if you feel you need to post those links in the future in this thread....Please make them non-clickable.

Thanks,
Bubba

As for your problem....it appears you recognize that it is a possible Smitfraud problem. As such....that would normally require running a special tool and for that reason I suggest you post a HijackThis log at one of the below Forums that deal with this sort of thing.

http://gladiator-antivirus.com/forum/index.php?showforum=170

http://bfccomputerhelp.com/index.php?showforum=5

http://forums.subratam.org/index.php?showforum=7

Just select one Forum to post to. Your problem probably needs special attention since I don't think regular scanners will deal with it.

Hi sLapshock,

Please be careful when posting reference to a potentially malicious web address that you use the advanced method to make your post and uncheck the box below that says 'Automatically parse links in text', or use commas or something instead of the dots - the mods have helped you with this a couple of times so far. (OK Bubba - you beat me to it ;D)

Have you reset your homepage to something you like and it is automatically being changed back? Or do you need some help to change it?

sorry guys, i will not pose malicious links.

whats about the sqmdata01.sqm theres' alot in my c:\

{QUOTE-> sorry guys, i will not pose malicious links.

whats about the sqmdata01.sqm theres' alot in my c:\ <-QUOTE}It appears that they may be from SquirrelMail software - have you ever used that?

Or Windows Live Massenger ?

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.

1 Reboot your PC into "Safe Mode".
2. Double click on VundoFix.exe
3. Place a tick next to "Run VundoFix" as a task.
4. You will receive a message saying VundoFix will close and re-open in a minute or less.
5. Click "OK".
6. When VundoFix re-opens, click the "Scan for Vundo" button.
7. Once it's done scanning, click the "Remove Vundo" button.
8. You will receive a prompt asking if you want to remove the files, click "Yes".
9. Once you click yes, your desktop will go blank as it starts removing Vundo.
10. When completed, it will prompt that it will shutdown your computer, click "Ok".
11. Turn on your computer.

Let us know how you go...

Cheers ;D

what is that software?
nope.

{QUOTE-> what is that software?
nope. <-QUOTE}Go with what Bubba and Blackspear said above in any case...

Cheers :)

okay, i will try it. im at school now. is there any other methods avail?

What has been suggested is the best method available to make sure your PC is clean.

Cheers :)

{QUOTE-> Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.

1 Reboot your PC into "Safe Mode".
2. Double click on VundoFix.exe
3. Place a tick next to "Run VundoFix" as a task.
4. You will receive a message saying VundoFix will close and re-open in a minute or less.
5. Click "OK".
6. When VundoFix re-opens, click the "Scan for Vundo" button.
7. Once it's done scanning, click the "Remove Vundo" button.
8. You will receive a prompt asking if you want to remove the files, click "Yes".
9. Once you click yes, your desktop will go blank as it starts removing Vundo.
10. When completed, it will prompt that it will shutdown your computer, click "Ok".
11. Turn on your computer.

Let us know how you go...

Cheers ;D <-QUOTE}

funny, the vundofix promise to start in less than a minute, but i waited for 10 mins, it didnt start back.

anyway this is m latest hijackthis log

{QUOTE->
Logfile of HijackThis v1.99.1
Scan saved at 5:08:10 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\updnavi\updnavi.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Nokia\Update_Manager\bin\UMScheduler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Documents\Quarantine\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-ap.fujitsu.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: UMScheduler 2.0.lnk = C:\Nokia\Update_Manager\bin\UMScheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
<-QUOTE}
now yeah after i delete ixto.dll using hijackthis in safemode, my IE didnt redirect to the damned page but now im scratching my head on the [b]sqmdata.sqm file in my local C drive

Because you still have this file: C:\WINDOWS\system32\issearch.exe I'll get you to follow the instructions found HERE (http://forums.majorgeeks.com/showthread.php?t=88420)

Then please post a further HijackThis Log.

Cheers ;D



PS: For future reference please do not post a HijackThis Log unless asked by a Moderator.

OMG! Try to clean startup from unnecessary entries.

{QUOTE-> OMG! Try to clean startup from unnecessary entries. <-QUOTE}heheh - you haven't seen mine :):o :shifty: :P :thumb:

ive got a problem now, the smitRem RunThis.bat just refuse to run. it open ms dos prompt and close it, in a blink.

also in my WINDOWS there's alot of hidden $NtUninstallKB885835$ , $NtUninstallKB896422$ files...i mean alots of them same pattern with different numbers and KB905414.log , KB914389.log .. and what i mean alot is like 30++ of them in my C:\WINDOWS\

{QUOTE-> ive got a problem now, the smitRem RunThis.bat just refuse to run. it open ms dos prompt and close it, in a blink. <-QUOTE}Forget the rest, just concentrate on the job at hand.

Have you done the following: {QUOTE-> If you cannot get RunThis.bat to work in safe mode, REBOOT into normal mode (with no internet connection) and repeat the above step from the point of booting in safe
mode. <-QUOTE}

Blackspear.

when i want to download smitRem.exe a popout come out saying C:\DOCUME~1\LOCALS~1\Temp\fmqt5h01.exe could not be saved, because the source file could not be read. (using firefox)

when im using internet explorer ... it says the internet connection reset abnormally.

Clear your Firefox cache, downloads history and empty the contents of your Temp directory and see if you can then download the tool. Reboot before emptying Temp if you have not since installing any programs or updates.

1. Navigate to the users temporary directory.
2. By default the directory is located at C:\Documents and Settings\username\Local Settings\Temp\.
3. Press control-A to select all files and folders.
4. Press the delete key. (shift+delete bypasses the recycle bin)

{QUOTE-> also in my WINDOWS there's alot of hidden $NtUninstallKB885835$ , $NtUninstallKB896422$ files...i mean alots of them same pattern with different numbers and KB905414.log , KB914389.log .. and what i mean alot is like 30++ of them in my C:\WINDOWS\ <-QUOTE}
This is normal. These hidden (and usually compressed) folders are created when you install patches from Microsoft, such as the security patches from Windows Update. These folders are created in case you want to uninstall the patches at a later date. The numbers refer to the article numbers within the Microsoft Knowledge Base. For example:

http://support.microsoft.com/kb/905414
http://support.microsoft.com/kb/914389

etc.

thanks guys, i think my computer is cleaned now. i didnt know what i really did, but i followed most of the methods given buy you guys including those who private message me. :)

i will come here back if i persist anymore probs.

Good to see and thanks for letting us know.

Cheers ;D

{QUOTE-> thanks guys, i think my computer is cleaned now. i didnt know what i really did, but i followed most of the methods given buy you guys including those who private message me. :)

i will come here back if i persist anymore probs. <-QUOTE}Indeed - and you would be most welcome :)

Thanks for helping out when you did Blackspear - the way I was reading it earlier it was all good....

Cheers ;D

{QUOTE-> Thanks for helping out when you did Blackspear - the way I was reading it earlier it was all good.... <-QUOTE}My pleasure Mate, it was when I suddenly realised what we were dealing with that I knew the solution...

Cheers ;D

Slapshock, is you're java up to date?

http://www.dslreports.com/forum/remark,14738046