Go Back   RetouchPRO > Tools > Software
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read

Software Photoshop, Lightroom, Paintshop Pro, Painter, etc., and all their various plugins. Of course, you can also discuss all other programs, as well.

Two days of hell ... trojan horse probs

Thread Tools
Old 04-12-2006, 11:50 PM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
Two days of hell ... trojan horse probs

well, i've just spent the last two days trying to get rid of a virus, a trojan horse type, Zlob. this was one nasty sucker to get rid of. it hijacked my browser, stuck some 'security' software on my system, and drove me just about nuts for two days.

part of this thing is the 'mssearchnet.exe' file, which embeds itself in the registry, your startup (but hidden in the normal startup areas, so that msconfig cant see it) and some other place. part it was in system 32 of windows and there were several accompanying .dll's and files and other hidden startups.

this tended to remind me of the old protection rackets, where someone approaches you and demands you pay them protection money to protect you from 'someone'. of course the someone is the guy demanding the money, but that always seems to be missed by the racketeers. this virus, being a trojan had managed to install some 'security' software that popped up as a result of my system being infected. of course, they infected me, but now if i'll just go to their site, they'll remove it for me. yeah, right. fat chance there, bud.

i ran hijackthis and it couldnt find it. i ran avg antivirus and it didnt find it. i went to trend micro and ran their online scan. they found parts of it and some other junk, but they couldnt remove all of it, though they thought they had. tech support at my isp helped a tiny bit also, but couldnt do it either. ad-aware saw no part of it at all. win patrol knew something was wrong, but also couldnt correct or block it effectively. i called up 'services' on my machine and found some peculiar and suspicious services running, particularly nvctrl.exe. i killed the service. 2 seconds later it's back. kill it again and the same thing happens. cute, so now i know i've got a loader virus. something is reloading this thing. regedit showed me a tiny bit of it. booting to dos mode i did manage to erase the mssearchnet.exe file and that part didnt come back. i ran cwshredder and it found something, but i forget what. i also found a reference in the registry about mssearchnet.exe and erased that key, but there were others there and erasing those just put them back. so, again, a loader. cute.

continuing, i updated winpatrol to the latest version and also got 'task catcher', another program from those same folks. these could see the parts that were in services, but couldnt kill it all off. i checked for the latest version of ad-aware, but mine was already up to date. i actually tried trend micros again but to no avail.

all in all this thing was a stinker. i had continuous popups from win patrol alerting me that something was trying to load into my browser as a helper object. i always said no. they were .tmp files in the system 32 folder. this thing also kept trying to call home with an NT logon (winlogon) but i just kept telling zone alarm no to that one. i also went to and used their little zapper program (i forget what it's called now) and it found nothing. i also downloaded their 'windows defender ver 2 beta' and installed that. it could also see the errant services but couldnt kill them effectively.

i swear, if i could put my hands on the person's neck that wrote this and distributed it, i'd.... well, you get the point.

little by little i did find enough of this to make some headway, but i was getting quite frustrated. i still had this idiot fake' anti-malware' program stuck in my system tray, popping up with an alert every 2 minutes. shortly after that i'd get win patrol telling me something was trying to load into my system. you see what was happening here? the 'security program' was loading the virus and trying to bring in friends from the net.

so, having managed to get rid of some of this thing, i was finally getting frustrated and desparate enough to do one of two things, either try a system restore point or call up my full backup of the c: drive had been updated a week ago (thankfully). so, i decided that i'd try system restore first. if that didnt work, call up the backup and replace the entire c: drive.

i knew roughly when i had contracted this thing, as odd things had started to happen shortly thereafter, so i opted for a system restore checkpoint from before that point in time. i ran the system restore and crossed my fingers. i was expecting the worst, that not only would i still have this thing, but that it would infect the restore point somehow. remarkably, the system restore seems to have worked! that's twice now it's saved my bu..bacon. now, i'm fairly sure some or all of those nasty files are still on my system. but because the registry is restored to an older point, all the links are killed to activate this junk! and that's probably the only reason the system restore worked. and amen to that!

and, since i know the names of some of these files, i can now go through and erase them, since they are no longer 'active', open files that cant be deleted in a normal fashion.

like i said, the system restore wiped the links to this piece of malicious garbage, but it also wiped everything installed after that point that i wanted, like the updated winpatrol and task catcher and windows defender. lol. but that's a small price to pay at this point.

this virus is rated 'low' by most sites, but i think they've underrated it. the potential for damage here is quite large. ANY trojan is potentially lethal to a system, since the trojan is like the trojan horse of old; it can carry nasty attackers inside and call for reinforcements.

so, i'm sorry for scaring anyone i might have, but i'm also not sorry for the same thing in that these things are real and you pretty much need a trojan (condom) on your system to catch a trojan surf safe, folks!

Reply With Quote top
Old 04-13-2006, 12:13 AM
lkroll's Avatar
lkroll lkroll is offline
Senior Member
Join Date: Jan 2005
Location: Alabama
Posts: 4,685
I do this for a living now Craig.

Just don't click anything with SpySheriff. Though these suckers keep me in business, I dispise having to do this work. I'm currenting running 70% success rate at removing virus/spyware on customers' machines (meaning I have to make Phoenix's out of the others). Still costs the customers a lot of dough to get their machines cleaned. System restore (for other reasons) have saved my bacon too, but nothing replaces a good backup. Then you can always re-install the OS (though you may have to give Uncle Bill a call to reactive Windows ). Sorry for you woes Craig, but welcome back to the living. If you have another PC, the best way to remove viruses is to first do an external scan using the other PC. Then place the harddrive back into your main system and boot into Safe Mode with Networking. After you run the virus scans (TrendMicro, Etrust, and, believe it or not, Microsoft have some pretty good web-based scanners; TrendMicro sometimes have problems running in safemode though) from safemode, run Hijaakthis to see and remove any suspicious BHO's and startup programs. Then pray for the best when you boot into regular mode. That's pretty much what I do for my customers. Sometimes too, a system repair fixes issues as well, but most of the time it does not unless you removed all traces of the virus first. Usually, I have no choice but to do registry hacks as well. Man, I much prefer doing new builds or hardware repair as opposed to Virus/Spyware removal, but over 80% of what I do involves removing infestations.

Forgot to add, that you need to take ownership of you System Volume Information folder so that you can remove viruses stored here too (normally, this folder is locked; Home Edition makes it a little more difficult, but it can be done in Safemode for sure).

Last edited by lkroll; 04-13-2006 at 12:18 AM. Reason: Added additional info.
Reply With Quote top
Old 04-13-2006, 12:31 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Hi Craig,

Zlob (Zolob) is a version of Smitfraud, and is relatively easy to remove if approached correctly (needs special tool(s)). Lots of versions, depending on which "Security Program" it foists onto you.

Wish you'd posted a HJT log, could have got you up and running in no time.

It might be a good idea if you posted a HJT log so I can see if there's any residual infection left.

Last edited by Gary Richardson; 04-13-2006 at 12:36 AM.
Reply With Quote top
Old 04-13-2006, 12:49 AM
Ziaphra's Avatar
Ziaphra Ziaphra is offline
Senior Member
Join Date: Mar 2006
Posts: 439
My daughter has this on her computer too! I have run both adware and spyware and got rid of alot of other stuff but these pop ups are still I will be watching this thread...

I also have a problem where when you start up her computer it says 'NTDLR is ctrl+alt+del to start'. I have tried changing the boot sequence to no avail...what I did eventually was copy the NTLDR and files from my computer onto floppy, then change the boot sequence to start at a: and that seems to force her computer to find the correct boot.ini file and boot up correctly. If anyone knows how to stop this from happening as we can't keep booting up like that! (I will eventually figure it out but would be eternally grateful for an 'inside track'!)
Reply With Quote top
Old 04-13-2006, 01:16 AM
NancyJ's Avatar
NancyJ NancyJ is offline
Senior Member
Join Date: Jun 2004
Posts: 729
For removal instructions just google for zlob. There is a lot of info out there about it.

Ofcourse the best solution is to not get infected at all Dont use IE unless absolutely necessary. Firefox and Opera (and Safari for mac) are all much safer browsers, partially because they're not integrated into the OS and partially because as less common browsers they're less likely to be attacked.
I also highly recommond spybot search and destroy with teatimer, spybot S&D has a browser immunisation feature that currently protects against over 8k known bad products.
Teatimer is a nice little app that notifies you any time a program attempts to change your registry - very useful early detection of attempted attacks.
Reply With Quote top
Old 04-13-2006, 05:51 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
hi Ziaphra,

For problems with most of the Smitfraud variants, try

Follow the instructions there, if any problems after that, post a HJT log in the forums at

I help out at that forum, or at
Reply With Quote top
Old 04-13-2006, 06:02 AM
Ziaphra's Avatar
Ziaphra Ziaphra is offline
Senior Member
Join Date: Mar 2006
Posts: 439
Thanx so much...will do and update.
Reply With Quote top
Old 04-13-2006, 09:26 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
You're welcome.

Which OS are you using with the NTLDR problem ?
Reply With Quote top
Old 04-13-2006, 10:23 AM
Ziaphra's Avatar
Ziaphra Ziaphra is offline
Senior Member
Join Date: Mar 2006
Posts: 439
It's Windows XP Pro.
Reply With Quote top
Old 04-13-2006, 11:50 AM
CJ Swartz's Avatar
CJ Swartz CJ Swartz is offline
Senior Member
Join Date: Sep 2001
Location: Metro Phoenix area, Arizona
Posts: 3,344
Blog Entries: 19
Craig -- I feel your pain! and caught a different trojan

Saturday evening I was just getting ready to quit checking out my forums and go to bed, but got a message from WinPatrol -- msoff.exe wanted to add itself to my startup -- was that okay? I hadn't installed any new software or made any changes to old software, so I knew that there was no good reason for the request, but thought it might be okay since it looked like it might be some Microsoft "thing" (ms-something). I told Scotty (WinPatrol's guardian) NOT to allow it while I looked it up on google... results:

Filename: msoff.exe
Command: C:\Windows\System32\msoff.exe

Description: Added by the Troj/Raker-C Trojan backdoor. This infection will also attempt to steal your online banking information from certain online banks.

And found this - which is either part of the above, or a separate infection.
Trojan.Renver is a Trojan horse that steals confidential information.
C:/documents and settings/all users/Documents/settings/ rvnkey_a, _b, _f, _v.dat

According to Symantec -- When Trojan.Renver is executed, it performs the following actions:

1. Copies itself as the following file: %System%\msoff.exe

2. Creates the following file:
%UserProfile%\Local Settings\Temp\[RANDOM].tmp
3. Adds the value: "Microsoft Office" = "%System%\msoff.exe"
to the registry subkey:
so that it runs every time Windows starts.

4. Creates instances of the following processes and injects it's code into those processes: * svchost.exe * lsass.exe

5. Gathers username and password information from the following file:

6. Gathers email server and username information by querying registry entries:
7. Gathers Protected Storage passwords.
8. Saves the information in the following files:

* %UserProfile%\All Users\Documents\Settings\desktop.ini
* %UserProfile%\All Users\Documents\Settings\rvnverps
* %UserProfile%\All Users\Documents\Settings\rvnver_a.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_b.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_f.dat
* %UserProfile%\All Users\Documents\Settings\rvnver_v.dat

9. Sends the information to the following domain:

I had just switched over to Firefox from IE due to the vulnerability (and no fix offered till April 12), my AVG didn't find it, online scan by Trend Micro didn't find it, but an online scan by PCTools Spyware Doctor found and listed the whereabouts of several files -- but wouldn't eliminate them unless I bought their software. While I was learning where all the bad stuff was hiding, WinPatrol would keep going off asking about "MSoff.exe wanting to be added to my startup", I'd keep eliminating it from the Registry, and it would keep being added back by some part of the trojan still resident on my system. I had turned off system restore until I tracked down all the parts of the trojan that I and Spyware Doctor could find, then ran the Doctor again and ran Spy Sweeper since I use their Window Washer software and decided that I would buy their product over Spyware Doctor since it's rated well. I spent hours, but at last Scotty was no longer barking at "msoff.exe", it was no longer loading into my registry, the .dat and .ini files were gone and hadn't returned, and none of my scans were finding anything -- BUT then some of them had NEVER found anything to begin with!!

I use safe practices -- have avoided emails with phishing links/trojans/viruses, but somewhere on the web that was deemed safe by my security controls -- something attacked me from behind -- IF Scotty the WinPatrol watchdog hadn't barked in time, I could have lost a lot. My info may have been gathered by the trojan even though I found it -- I've changed passwords again to hopefully add some protection in case they got my bank account number, etc.
I don't like to hate people, but I am NOT happy with people who have nothing better to do than sneak around trying to steal from me.
Reply With Quote top

  RetouchPRO > Tools > Software

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Chuckle for the day (jokes/humourous tales here please) jeaniesa Salon 391 11-26-2006 01:33 AM

All times are GMT -6. The time now is 06:22 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved