NOD32 cant cleane this Trojan (Log Posted)

sLapshock · #1 July 19th, 2006, 01:24 AM

This is the log that posted in my NOD32

Quote:

Scan performed at: 7/18/2006 10:50:29 AM
Scanning Log
NOD32 version 1.1664 (20060717) NT
Operating memory - is OK

Date: 18.7.2006 Time: 10:50:52
Scanned disks, folders and files: C:; D:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\parent.lock - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\E6BF0D51d01 - Win32/TrojanDropper.Agent.ARV trojan
Scanning interrupted by user!
Number of scanned files: 6200
Number of threats found: 1
Time of completion: 10:52:57 Total scanning time: 125 sec (00:02:05)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

Quote:

Scan performed at: 7/19/2006 11:57:33 AM
Scanning Log
NOD32 version 1.1667 (20060718) NT
Command line: C:\WINDOWS\system32\ishost.exe C:\WINDOWS\system32\ismon.exe
Operating memory - Win32/TrojanDownloader.Zlob.VB trojan

Date: 19.7.2006 Time: 12:00:53
Scanned disks, folders and files: C:\WINDOWS\system32\ishost.exe; C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\ishost.exe - Win32/TrojanDownloader.Zlob.VB trojan - deleted (after the next restart) [2]
C:\WINDOWS\system32\ismon.exe - Win32/TrojanDownloader.Zlob.VB trojan - deleted (after the next restart) [2]
Number of scanned files: 2
Number of threats found: 2
Number of files cleaned: 2
Time of completion: 12:02:13 Total scanning time: 80 sec (00:01:20)

Notes:
[2] File is being used (open or running). System restart is required for the cleaning to complete.

Quote:

C:\pagefile.sys - error opening (File locked) [4]

Quote:

C:\Documents and Settings\Lola Okhrana\ntuser.dat.LOG - error opening (File locked) [4]

Can anyone help me how to clean this trojan from my system?

WSFuser · #2 July 19th, 2006, 01:33 AM

have u rebooted yet so that nod32 may clean/delete the trojan?

NOD32 user · #3 July 19th, 2006, 01:33 AM

The first log looks like it was just a scan, not a scan & clean - please try this.

After you restarted the PC were the detections in the second log gone?

Third and fourth logs are on their own quite normal.

Cheers

sLapshock · #4 July 19th, 2006, 01:36 AM

how do i properly paste a log of NOF32? is that the rigght way?

Code:

Time Module Object Name Threat Action User Information
7/19/2006 11:57:14 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/19/2006 11:57:13 AM AMON file C:\WINDOWS\system32\ismon.exe Win32/TrojanDownloader.Zlob.VB trojan NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\Program Files\ewido anti-spyware 4.0\guard.exe.
7/19/2006 11:57:12 AM AMON file C:\WINDOWS\system32\ishost.exe Win32/TrojanDownloader.Zlob.VB trojan NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\Program Files\ewido anti-spyware 4.0\guard.exe.
7/19/2006 11:55:38 AM Kernel file C:\WINDOWS\system32\ismon.exe Win32/TrojanDownloader.Zlob.VB trojan Alert was generated during the system startup file check.
7/19/2006 11:55:14 AM Kernel file C:\WINDOWS\system32\ishost.exe Win32/TrojanDownloader.Zlob.VB trojan Alert was generated during the system startup file check.
7/18/2006 23:52:50 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 23:27:45 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 23:02:42 PM AMON file C:\WINDOWS\system32\components\flx2.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:37:41 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:37:39 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:12:38 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 22:12:36 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 21:47:31 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 21:47:30 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 14:16:53 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 14:16:52 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:59:46 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:59:44 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:49:08 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:48:23 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:25:44 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 13:25:42 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:56:09 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:56:08 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:31:11 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:31:08 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:12:26 PM AMON file C:\Documents and Settings\Lola Okhrana\Local Settings\Temporary Internet Files\Content.IE5\4LMRS5A3\l11[1].exe probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\Program Files\Internet Explorer\IEXPLORE.EXE. The file was moved to quarantine. You may close this window.
7/18/2006 12:06:06 PM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 12:06:05 PM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:58:21 AM AMON file C:\windows\system32\components\flx5.dll Win32/Hoax.Renos.DW application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
7/18/2006 11:58:19 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:58:16 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:01:04 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 11:01:03 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:46:01 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:36:09 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:02:13 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 10:02:12 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 9:37:31 AM AMON file C:\WINDOWS\system32\components\flx1.dll a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 9:37:28 AM AMON file C:\WINDOWS\system32\components\flx1.dll probably a variant of Win32/TrojanDownloader.Zlob.VB trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\ishost.exe. The file was moved to quarantine. You may close this window.
7/18/2006 9:35:16 AM AMON file C:\WINDOWS\system32\issearch.exe probably a variant of Win32/TrojanDownloader.Zlob.VA trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
7/18/2006 0:42:50 AM Kernel file C:\WINDOWS\system32\issearch.exe probably a variant of Win32/TrojanDownloader.Zlob.VA trojan
7/17/2006 22:55:21 PM AMON file C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\jd30sehy.exe a variant of Win32/Dialer.DialHub application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
7/17/2006 22:55:19 PM AMON file C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\F498AD79d01 a variant of Win32/Dialer.DialHub application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe. The file was moved to quarantine. You may close this window.
7/17/2006 22:51:45 PM AMON file C:\WINDOWS\system32\pmnqguh.dll Win32/Hoax.Renos application quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\WINDOWS\system32\components\flx5.dll. The file was moved to quarantine. You may close this window.
7/17/2006 22:49:26 PM AMON file C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\mshtml2.exe Win32/TrojanDownloader.PurityScan.BV trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\OA.exe. The file was moved to quarantine. You may close this window.
6/24/2006 22:37:34 PM AMON file C:\DOCUME~1\LOLAOK~1\LOCALS~1\Temp\1cfjb76u.exe a variant of Win32/TrojanDownloader.IstBar trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE. The file was moved to quarantine. You may close this window.
6/24/2006 22:37:32 PM AMON file C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\390E18F6d01 a variant of Win32/TrojanDownloader.IstBar trojan quarantined - deleted SLAPSHOCK\Lola Okhrana Event occurred on a new file created by the application: C:\PROGRA~1\MOZILL~1\FIREFOX.EXE. The file was moved to quarantine. You may close this window.
6/24/2006 22:37:27 PM IMON file hxxp://www.binarity.com/ysbinstall_1002755_3.exe a variant of Win32/TrojanDownloader.IstBar trojan SLAPSHOCK\Lola Okhrana

NOD32 user · #5 July 19th, 2006, 01:39 AM

Quote:

Originally Posted by sLapshock

how do i properly paste a log of NOF32? is that the rigght way?

This newer log shows all the times that NOD32 has prevented infiltrations for you...
Some of the entries are there from when ewido and other have attempted to check a file and NOD32 has checked it first on access...

sLapshock · #6 July 19th, 2006, 01:43 AM

ok this is my log

Code:

Scan performed at: 7/19/2006 12:41:45 PM
Scanning Log
NOD32 version 1.1667 (20060718) NT
Command line: C:\ /adware /ah /all /arch+ /clean /cleanmode /delete /heur+ /log+ /mailbox+ /ntfs+ /pack+ /quarantine /scanboot+ /scanmbr+ /scanmem+ /scroll+ /sfx+ /unsafe /wrap+
Operating memory - is OK

Date: 19.7.2006  Time: 12:41:51
Scanned disks, folders and files: C:\
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar.zip »ZIP »nsv48.tmp - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar1.zip »ZIP »nsv47.tmp - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HotsearchBar1.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterAntiVirusDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsSecurityCenterUpdateDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\parent.lock - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Application Data\Mozilla\Firefox\Profiles\tbqgv2q3.default\Cache\4906828Dd01 »ZIP »smitRem/Process.exe - Win32/PrcView application - was a part of the deleted object
C:\Documents and Settings\Lola Okhrana\Local Settings\Temp\8jv8op36.zip »ZIP »Rempit....avi - archive damaged
C:\Documents and Settings\Lola Okhrana\Local Settings\Temp\hsperfdata_Lola Okhrana\4788 - error opening (Access denied) [4]
C:\Documents and Settings\Lola Okhrana\Local Settings\Temp\_PegEx~1\Program Files\TCPMP\language.tgz »GZ »language.tar »TAR - archive damaged
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Program Files\BitComet\fav\search_el_gr.mht »MIME - error occurred while reading archive
C:\Program Files\MySQL\MySQL Server 5.0\Docs\manual.chm »CHM »::DataSpace/Storage/MSCompressed/Content - error occurred while reading archive
C:\Program Files\Roguescanfix\Process.exe - Win32/PrcView application - Error quarantining the object  -  - unable to clean - deleted
C:\WINDOWS\SoftwareDistribution\EventCache\{623A84EF-B288-4D5A-89B4-FA89E151315F}.bin - error opening (File locked) [4]
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\dtscsi.sys - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\sptd.sys - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\sptd1853.sys - error opening (File locked) [4]
Number of scanned files: 285383
Number of threats found: 2
Number of files cleaned: 2
Time of completion: 13:08:38 Total scanning time: 1607 sec (00:26:47)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

how do i know my trojan.zlob.zb is leaned frm my system?

ewido software doest detect anything

NOD32 user · #7 July 19th, 2006, 01:51 AM

ewido is not detecting anything because NOD32 is preventing anything from accessing the detected files.

Please scroll up a bit to posts #2, #3 and #5 and let us know how you go after that...
...or if post#6 is after you have rebooted your PC already then it should now be just fine

Cheers

sLapshock · #8 July 19th, 2006, 02:00 AM

done.

if nod32 doesnt led anything access..so whats the use of ewido to me now?

NOD32 user · #9 July 19th, 2006, 02:09 AM

Quote:

Originally Posted by sLapshock

done.

if nod32 doesnt led anything access..so whats the use of ewido to me now?

Many people use multiple on-deman scanners (but only one real-time AV) - one acts as a double check for the other since none are perfect on their own.
If you wish to use ewido to double check your system I would suggest the following

Run a full scan and clean with NOD32 like post#6
Scan and clean with ewido or whatever other trusted application you choose to use

That is really all that is necessary since after having first run a full scan anything NOD32 would prevent access to because of detection should already be gone anyway...

Also, you may wish to verify that some registry cleaner hasn't removed the entry for the NOD32 Quarantine folder - if it has I'd suggest restoring it.

Cheers

sLapshock · #10 July 19th, 2006, 02:41 AM

Quote:

Originally Posted by NOD32 user

Also, you may wish to verify that some registry cleaner hasn't removed the entry for the NOD32 Quarantine folder - if it has I'd suggest restoring it.

Cheers

thanks for the reply

anyway, how do i done that im using registry mechanic

NOD32 user · #11 July 19th, 2006, 02:57 AM

Not entirely familiar with registry mechanic, but you should be able to restore it as follows:-

Open the NOD32 Control Center
in the left side, navigate to 'NOD32 System Tools' --> 'NOD32 System Setup'
in the right side click 'Setup' and enter your settings password if you have one
click on the 'Advanced' tab
notice the Quarantine section at the bottom
if you have not already changed it in the past, it should say 'C:\Program Files\Eset\infected' otherwise fill it in now.
click OK
in the left side, navigate to 'NOD32 System Tools' --> 'Quarantine'
use 'Add' to move a file to the quarantine folder to check (some file you don't need - a blank text file you have created on you desktop?)
The file you just added should appear at the top of the Quarantined list

Cheers

sLapshock · #12 July 19th, 2006, 04:39 AM

where can i get passowrd and username for nod32

NOD32 user · #13 July 19th, 2006, 04:45 AM

You can buy a username and password (licence) for NOD32 from pretty much any reseller worldwide, but unless there was a special reason I would suggest your local reseller...

What part of the world are you in?

sLapshock · #14 July 19th, 2006, 08:46 AM

im in singapore.

anyway, when i opened my internet explorer, it direct me to www,sysprotectionpage.net (if im nt wrong)

and also is it safe to remove

HKLM\SOFTWARE\Microsoft\Windows\CurrentWindows\policies\explorer\run\\kernel32.dll Which Infected wit Trojan.Small

and

C:\Windows\System32\isnotify.exe which infected with Downloader.Zlob.zd

can i remove both of this file which is in my quarantine now?

NOD32 user · #15 July 19th, 2006, 08:56 AM

Singapore - you should be able to find a local reseller that pleases you -->HERE<--

Yes - clean out your quarantine any time you choose.

Cheers

#16 July 19th, 2006, 09:12 AM

Quote:

Originally Posted by sLapshock

im in singapore.

anyway, when i opened my internet explorer, it direct me to www,sysprotectionpage.net (if im nt wrong)

and also is it safe to remove

HKLM\SOFTWARE\Microsoft\Windows\CurrentWindows\policies\explorer\run\\kernel32.dll Which Infected wit Trojan.Small

and

C:\Windows\System32\isnotify.exe which infected with Downloader.Zlob.zd

can i remove both of this file which is in my quarantine now?

Please , check your Private Messages !

sLapshock · #17 July 19th, 2006, 10:08 PM

my internet explorer still redirects me to www,sysprotectionpage.net , no matter how many thousand times i sca with ewido or nod32. not that i also use software like

HijackThuis
SmitFraud
UnDLL for NOD32
FixReg.req
SmitREm
bla bla bla....

and also online scan...panda software..

but my IE still redirects me to www,sysprotectionpage.net

and also in my C:\ theres alot of sqmdata0x
*x = number

pls pls help.im begging.

Bubba · #18 July 19th, 2006, 10:17 PM

Hello sLapshock,

As I have noted in 2 of your posts I have edited....that clickable link is a known CWS.VCodec group of badware folks. If you don't mind....if you feel you need to post those links in the future in this thread....Please make them non-clickable.

Thanks,
Bubba

As for your problem....it appears you recognize that it is a possible Smitfraud problem. As such....that would normally require running a special tool and for that reason I suggest you post a HijackThis log at one of the below Forums that deal with this sort of thing.

http://gladiator-antivirus.com/forum...?showforum=170

http://bfccomputerhelp.com/index.php?showforum=5

http://forums.subratam.org/index.php?showforum=7

Just select one Forum to post to. Your problem probably needs special attention since I don't think regular scanners will deal with it.

NOD32 user · #19 July 19th, 2006, 10:19 PM

Hi sLapshock,

Please be careful when posting reference to a potentially malicious web address that you use the advanced method to make your post and uncheck the box below that says 'Automatically parse links in text', or use commas or something instead of the dots - the mods have helped you with this a couple of times so far. (OK Bubba - you beat me to it

)

Have you reset your homepage to something you like and it is automatically being changed back? Or do you need some help to change it?

sLapshock · #20 July 19th, 2006, 10:22 PM

sorry guys, i will not pose malicious links.

whats about the sqmdata01.sqm theres' alot in my c:\

NOD32 user · #21 July 19th, 2006, 10:28 PM

Quote:

Originally Posted by sLapshock

sorry guys, i will not pose malicious links.

whats about the sqmdata01.sqm theres' alot in my c:\

It appears that they may be from SquirrelMail software - have you ever used that?

Or Windows Live Massenger ?

Blackspear · #22 July 19th, 2006, 10:30 PM

Please download VundoFix.exe to your desktop.

1 Reboot your PC into "Safe Mode".
2. Double click on VundoFix.exe
3. Place a tick next to "Run VundoFix" as a task.
4. You will receive a message saying VundoFix will close and re-open in a minute or less.
5. Click "OK".
6. When VundoFix re-opens, click the "Scan for Vundo" button.
7. Once it's done scanning, click the "Remove Vundo" button.
8. You will receive a prompt asking if you want to remove the files, click "Yes".
9. Once you click yes, your desktop will go blank as it starts removing Vundo.
10. When completed, it will prompt that it will shutdown your computer, click "Ok".
11. Turn on your computer.

Let us know how you go...

Cheers

sLapshock · #23 July 19th, 2006, 10:30 PM

what is that software?
nope.

NOD32 user · #24 July 19th, 2006, 10:41 PM

Quote:

Originally Posted by sLapshock

what is that software?
nope.

Go with what Bubba and Blackspear said above in any case...

Cheers

sLapshock · #25 July 19th, 2006, 10:46 PM

okay, i will try it. im at school now. is there any other methods avail?

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search