Trojan.Zlob.G

View previous topic View next topic Go down

Solved Trojan.Zlob.G

Post by fenleyway on 6th December 2008, 5:26 am

Hi,

So I've been doing virus scans, and for some reason I keep getting a window from Windows Firewall that a virus called "Trojan.Zlob.G" is trying to gain access to my computer. Symantec Antivirus is not picking up anything by that name. How can I get rid of it? I've looked on other forums, and many of the registry entries that were mentioned associated with the virus do not exist on my computer.

The following is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:26, on 2008-12-06
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\STacSV.exe
C:\Program Files\DELL\QuickSet\quickset.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O2 - BHO: globaladsolution - {4da7a329-764d-94c6-6f08-7f839124d64f} - C:\WINDOWS\system32\nsl16.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: globaladsolution browser enhancer - {7495C050-0AAE-B778-7DF2-6F0B7B9727DB} - C:\WINDOWS\system32\vczhifgunf.dll
O2 - BHO: GrandBar IE Helper - {84BA8988-33E1-4c89-A150-BF428E8D3213} - C:\Program Files\GrandPack\GrandPack.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\DELL\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [rxplrtofqxzr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vczhifgunf.dll"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c93d08fb04a2ac) (gupdate1c93d08fb04a2ac) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 13768 bytes

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by Belahzur on 6th December 2008, 1:50 pm

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.



  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: globaladsolution - {4da7a329-764d-94c6-6f08-7f839124d64f} - C:\WINDOWS\system32\nsl16.dll
    O2 - BHO: globaladsolution browser enhancer - {7495C050-0AAE-B778-7DF2-6F0B7B9727DB} - C:\WINDOWS\system32\vczhifgunf.dll
    O4 - HKLM\..\Run: [rxplrtofqxzr] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\vczhifgunf.dll"


  • Press "Fix Checked"
  • Close Hijack This.




  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 6th December 2008, 4:53 pm

ComboFix 08-12-05.06 - Swathi 2008-12-06 11:36:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1293 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\GetModule

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 23:36 . 2008-12-06 00:01 d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 23:36 . 2008-12-06 00:05 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 21:30 . 2008-12-05 21:30 d-------- c:\program files\GrandPack
2008-12-05 21:30 . 2008-12-05 21:31 102,176 --a------ c:\windows\system32\cont_globaladsolution-remove.exe
2008-12-05 21:30 . 2008-12-05 21:30 47,596 --a------ c:\windows\system32\fillveteafj.exe
2008-12-04 23:40 . 2008-12-04 23:40 d-------- c:\documents and settings\All Users\Application Data\Citrix
2008-12-04 23:39 . 2008-12-04 23:39 d-------- c:\program files\Citrix
2008-12-04 12:00 . 2008-12-05 21:23 d-------- c:\program files\XP TCPIP Repair
2008-12-01 12:00 . 2008-12-01 12:00 d-------- c:\program files\Trend Micro
2008-11-29 16:25 . 2008-11-29 16:25 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-29 00:30 . 2008-11-29 00:31 d-------- c:\program files\foldit
2008-11-29 00:30 . 2008-11-29 00:40 d-------- c:\documents and settings\All Users\Application Data\foldit
2008-11-28 21:14 . 2008-11-28 21:14 d-------- c:\program files\Lavasoft
2008-11-28 21:14 . 2008-11-28 21:15 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 17:02 . 2008-11-28 17:02 d---s---- c:\documents and settings\TEMP\UserData
2008-11-28 16:17 . 2008-11-28 16:17 d-------- c:\program files\Symantec
2008-11-28 16:17 . 2006-09-18 17:55 109,744 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-28 16:17 . 2006-09-18 17:55 48,816 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-28 15:40 . 2008-11-28 15:40 d-------- C:\sym
2008-11-26 20:13 . 2008-11-28 16:45 2,274 --a------ c:\windows\system32\TDSSxbae.dll
2008-11-24 20:09 . 2008-11-30 22:38 d-------- c:\documents and settings\TEMP\Application Data\uTorrent
2008-11-11 18:24 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 18:24 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 16:40 . 2008-11-20 22:21 d-------- c:\documents and settings\TEMP\Application Data\Move Networks
2008-11-07 11:17 . 2008-11-07 11:17 d-------- c:\documents and settings\Swat\Bluetooth Software
2008-11-07 11:17 . 2008-11-07 11:17 d-------- c:\documents and settings\Swat\Application Data\Windows Desktop Search
2008-11-07 11:17 . 2008-11-07 11:17 d-------- c:\documents and settings\Swat\Application Data\Launchy
2008-11-07 11:17 . 2008-11-08 12:03 d-------- c:\documents and settings\Swat\Application Data\GTek
2008-11-07 11:16 . 2008-06-28 13:16 d-------- c:\documents and settings\Swat\Application Data\Intel
2008-11-07 11:16 . 2008-12-05 21:24 d-------- c:\documents and settings\Swat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 16:41 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-06 16:39 47,104 ----a-w c:\windows\system32\rpcnet.dll
2008-12-06 16:39 17,408 ----a-w c:\windows\system32\rpcnetp.exe
2008-12-06 16:23 47,104 ----a-w c:\windows\system32\rpcnet.exe
2008-12-06 16:20 17,408 ----a-w c:\windows\system32\rpcnetp.dll
2008-12-06 02:42 --------- d-----w c:\documents and settings\TEMP\Application Data\Intel
2008-12-06 02:42 --------- d-----w c:\documents and settings\TEMP\Application Data\Apple Computer
2008-12-05 04:53 --------- d-----w c:\program files\PeerGuardian2
2008-12-01 17:06 --------- d-----w c:\program files\Java
2008-12-01 17:02 731,136 ----a-w C:\avenger.exe
2008-11-30 23:26 --------- d-----w c:\program files\Google
2008-11-29 02:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-28 21:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 21:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-27 01:13 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-12 08:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-02 23:15 --------- d-----w c:\program files\Freecorder
2008-11-02 23:12 --------- d-----w c:\program files\Conduit
2008-11-02 16:51 --------- d-----w c:\documents and settings\TEMP\Application Data\Windows Search
2008-11-02 16:51 --------- d-----w c:\documents and settings\TEMP\Application Data\Windows Desktop Search
2008-11-02 16:51 --------- d-----w c:\documents and settings\TEMP\Application Data\Launchy
2008-11-02 16:45 --------- d-----w c:\documents and settings\TEMP\Application Data\vlc
2008-11-01 17:42 --------- d--h--w c:\documents and settings\TEMP\Application Data\GTek
2008-10-28 00:47 --------- d-----w c:\documents and settings\Swathi\Application Data\uTorrent
2008-10-26 13:33 --------- d-----w c:\program files\TechSmith
2008-10-26 13:33 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2008-10-25 18:08 --------- d-----w c:\documents and settings\Swathi\Application Data\Move Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 23:49 --------- d-----w c:\program files\Apple Software Update
2008-10-18 23:48 --------- d-----w c:\program files\iTunes
2008-10-18 23:48 --------- d-----w c:\program files\iPod
2008-10-18 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-18 23:47 --------- d-----w c:\program files\QuickTime
2008-10-18 23:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-18 23:42 --------- d-----w c:\program files\Bonjour
2008-10-18 18:19 --------- d-----w c:\program files\Audible
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 15:25 --------- d-----w c:\program files\DVD Decrypter
2008-10-13 02:52 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-08 17:02 --------- d-----w c:\documents and settings\Swathi\Application Data\gtk-2.0
2008-10-02 22:36 32,256 ----a-w c:\windows\system32\identprv.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-06-28 21:00 76 --sh--r c:\windows\CT4CET.bin
.

------- Sigcheck -------

2004-08-04 07:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-26 20:13 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 6th December 2008, 4:54 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BA8988-33E1-4c89-A150-BF428E8D3213}]
2008-12-05 14:16 133120 --a------ c:\program files\GrandPack\GrandPack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 18:59 2953216 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 18:59 2953216 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-03-28 49168]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Dell QuickSet"="c:\program files\DELL\QuickSet\quickset.exe" [2007-07-20 1228800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-29 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-14 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"NVHotkey"="nvHotkey.dll" [2007-11-17 c:\windows\system32\nvhotkey.dll]

c:\documents and settings\Swathi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\TEMP\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-08-16 286720]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 18:46 90112 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 10:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"rxplrtofqxzr"=c:\windows\System32\regsvr32.exe /s "c:\windows\system32\vczhifgunf.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Swathi\\Desktop\\Savers\\MySpaceMp3Gopher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\TEMP\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\TEMP\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58067:TCP"= 58067:TCP:PandoRest Listening Port
""=

R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2008-06-28 28184]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-28 99376]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;\??\c:\windows\system32\Drivers\OEM02Afx.sys [2008-06-28 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2008-06-28 235584]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2008-06-28 7424]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys []
S2 gupdate1c93d08fb04a2ac;Google Update Service (gupdate1c93d08fb04a2ac);"c:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-11-02 133104]
S2 OpenCASE Media Agent;OpenCASE Media Agent;"c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe" [2008-08-03 835208]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-29 29744]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-09-27 116464]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-06 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 11:35]

2008-12-06 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 11:35]

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 6th December 2008, 4:54 pm

- - - - ORPHANS REMOVED - - - -

Toolbar-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FireFox -: Profile - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\ilhajn0z.default\
FF -: plugin - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\ilhajn0z.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\documents and settings\TEMP\Application Data\Mozilla\plugins\npgoogletalk.dll
FF -: plugin - c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-06 11:41:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\stacsv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2008-12-06 11:48:27 - machine was rebooted [Swathi]
ComboFix-quarantined-files.txt 2008-12-06 16:48:23
ComboFix2.txt 2008-12-02 05:21:15

Pre-Run: 79,436,722,176 bytes free
Post-Run: 79,442,989,056 bytes free

305 --- E O F --- 2008-11-28 21:40:31

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by Belahzur on 6th December 2008, 5:01 pm

Hello.
Just a few leftovers to get.

Now open a new notepad file.
Input this into the notepad file:

Driver::
ntcdrdrv

File::
c:\windows\system32\cont_globaladsolution-remove.exe
c:\windows\system32\fillveteafj.exe
c:\windows\system32\TDSSxbae.dll
C:\avenger.exe
c:\windows\system32\vczhifgunf.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"rxplrtofqxzr"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 7th December 2008, 8:36 pm

ComboFix 08-12-06.06 - Swathi 2008-12-07 15:19:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1239 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TEMP\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\avenger.exe
c:\windows\system32\cont_globaladsolution-remove.exe
c:\windows\system32\fillveteafj.exe
c:\windows\system32\TDSSxbae.dll
c:\windows\system32\vczhifgunf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\avenger.exe
c:\documents and settings\TEMP\Application Data\Google\kjzna1562565.exe
c:\windows\system32\cont_globaladsolution-remove.exe
c:\windows\system32\fillveteafj.exe
c:\windows\system32\TDSSxbae.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ntcdrdrv


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-05 23:36 . 2008-12-06 00:01 d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 23:36 . 2008-12-06 00:05 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 21:30 . 2008-12-05 21:30 d-------- c:\program files\GrandPack
2008-12-04 23:40 . 2008-12-04 23:40 d-------- c:\documents and settings\All Users\Application Data\Citrix
2008-12-04 23:39 . 2008-12-04 23:39 d-------- c:\program files\Citrix
2008-12-04 12:00 . 2008-12-05 21:23 d-------- c:\program files\XP TCPIP Repair
2008-12-01 12:00 . 2008-12-01 12:00 d-------- c:\program files\Trend Micro
2008-11-29 16:25 . 2008-11-29 16:25 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-29 00:30 . 2008-11-29 00:31 d-------- c:\program files\foldit
2008-11-29 00:30 . 2008-11-29 00:40 d-------- c:\documents and settings\All Users\Application Data\foldit
2008-11-28 21:14 . 2008-11-28 21:14 d-------- c:\program files\Lavasoft
2008-11-28 21:14 . 2008-11-28 21:15 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-28 17:02 . 2008-11-28 17:02 d---s---- c:\documents and settings\TEMP\UserData
2008-11-28 16:17 . 2008-11-28 16:17 d-------- c:\program files\Symantec
2008-11-28 16:17 . 2006-09-18 17:55 109,744 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-28 16:17 . 2006-09-18 17:55 48,816 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-28 15:40 . 2008-11-28 15:40 d-------- C:\sym
2008-11-24 20:09 . 2008-12-07 15:18 d-------- c:\documents and settings\TEMP\Application Data\uTorrent
2008-11-11 18:24 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 18:24 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-09 16:40 . 2008-11-20 22:21 d-------- c:\documents and settings\TEMP\Application Data\Move Networks
2008-11-07 11:17 . 2008-11-07 11:17 d-------- c:\documents and settings\Swat\Bluetooth Software
2008-11-07 11:17 . 2008-11-07 11:17 d-------- c:\documents and settings\Swat\Application Data\Windows Desktop Search
2008-11-07 11:17 . 2008-11-07 11:17 d-------- c:\documents and settings\Swat\Application Data\Launchy
2008-11-07 11:17 . 2008-11-08 12:03 d-------- c:\documents and settings\Swat\Application Data\GTek
2008-11-07 11:16 . 2008-06-28 13:16 d-------- c:\documents and settings\Swat\Application Data\Intel
2008-11-07 11:16 . 2008-12-05 21:24 d-------- c:\documents and settings\Swat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 20:27 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-07 20:21 --------- d-----w c:\program files\PeerGuardian2
2008-12-06 02:42 --------- d-----w c:\documents and settings\TEMP\Application Data\Intel
2008-12-06 02:42 --------- d-----w c:\documents and settings\TEMP\Application Data\Apple Computer
2008-12-01 17:06 --------- d-----w c:\program files\Java
2008-11-30 23:26 --------- d-----w c:\program files\Google
2008-11-29 02:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-28 21:17 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 21:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-12 08:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-02 23:15 --------- d-----w c:\program files\Freecorder
2008-11-02 23:12 --------- d-----w c:\program files\Conduit
2008-11-02 16:51 --------- d-----w c:\documents and settings\TEMP\Application Data\Windows Search
2008-11-02 16:51 --------- d-----w c:\documents and settings\TEMP\Application Data\Windows Desktop Search
2008-11-02 16:51 --------- d-----w c:\documents and settings\TEMP\Application Data\Launchy
2008-11-02 16:45 --------- d-----w c:\documents and settings\TEMP\Application Data\vlc
2008-11-01 17:42 --------- d--h--w c:\documents and settings\TEMP\Application Data\GTek
2008-10-28 00:47 --------- d-----w c:\documents and settings\Swathi\Application Data\uTorrent
2008-10-26 13:33 --------- d-----w c:\program files\TechSmith
2008-10-26 13:33 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith
2008-10-25 18:08 --------- d-----w c:\documents and settings\Swathi\Application Data\Move Networks
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 23:49 --------- d-----w c:\program files\Apple Software Update
2008-10-18 23:48 --------- d-----w c:\program files\iTunes
2008-10-18 23:48 --------- d-----w c:\program files\iPod
2008-10-18 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-18 23:47 --------- d-----w c:\program files\QuickTime
2008-10-18 23:46 --------- d-----w c:\program files\Common Files\Apple
2008-10-18 23:42 --------- d-----w c:\program files\Bonjour
2008-10-18 18:19 --------- d-----w c:\program files\Audible
2008-10-13 15:25 --------- d-----w c:\program files\DVD Decrypter
2008-10-13 02:52 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-08 17:02 --------- d-----w c:\documents and settings\Swathi\Application Data\gtk-2.0
2008-06-28 21:00 76 --sh--r c:\windows\CT4CET.bin
.

------- Sigcheck -------

2004-08-04 07:00 295424 b60c877d16d9c880b952fda04adf16e6 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 19:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-26 20:13 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-06 16:39:56 47,104 ----a-w c:\windows\system32\rpcnet.dll
+ 2008-12-07 20:26:49 47,104 ----a-w c:\windows\system32\rpcnet.dll
- 2008-12-06 16:39:58 17,408 ----a-w c:\windows\system32\rpcnetp.exe
+ 2008-12-07 20:26:52 17,408 ----a-w c:\windows\system32\rpcnetp.exe

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 7th December 2008, 8:37 pm

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84BA8988-33E1-4c89-A150-BF428E8D3213}]
2008-12-05 14:16 133120 --a------ c:\program files\GrandPack\GrandPack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-03-28 18:59 2953216 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-03-28 18:59 2953216 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2008-03-04 999424]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2008-03-04 1101824]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-03-28 49168]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Dell QuickSet"="c:\program files\DELL\QuickSet\quickset.exe" [2007-07-20 1228800]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-29 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-14 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
"NVHotkey"="nvHotkey.dll" [2007-11-17 c:\windows\system32\nvhotkey.dll]

c:\documents and settings\Swathi\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\TEMP\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 622653]
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-08-16 286720]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-28 18:46 90112 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2006-11-05 10:22 221184 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DELL\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"=
"c:\\Program Files\\Participatory Culture Foundation\\Miro\\xulrunner\\python\\Miro_Downloader.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Swathi\\Desktop\\Savers\\MySpaceMp3Gopher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\TEMP\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\TEMP\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58067:TCP"= 58067:TCP:PandoRest Listening Port
""=

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-28 99376]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;\??\c:\windows\system32\Drivers\OEM02Afx.sys [2008-06-28 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2008-06-28 235584]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2008-06-28 7424]
S2 gupdate1c93d08fb04a2ac;Google Update Service (gupdate1c93d08fb04a2ac);"c:\program files\Google\Update\GoogleUpdate.exe" /svc [2008-11-02 133104]
S2 OpenCASE Media Agent;OpenCASE Media Agent;"c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe" [2008-08-03 835208]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-29 29744]
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-09-27 116464]
.
Contents of the 'Scheduled Tasks' folder

2008-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-02 11:35]

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 11:35]
.
.

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 7th December 2008, 8:37 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FireFox -: Profile - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\ilhajn0z.default\
FF -: plugin - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\ilhajn0z.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF -: plugin - c:\documents and settings\TEMP\Application Data\Mozilla\plugins\npgoogletalk.dll
FF -: plugin - c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Update\1.2.131.25\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 15:28:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\stacsv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-07 15:33:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 20:33:48
ComboFix2.txt 2008-12-06 16:48:28
ComboFix3.txt 2008-12-02 05:21:15

Pre-Run: 77,975,044,096 bytes free
Post-Run: 77,989,908,480 bytes free

295 --- E O F --- 2008-11-28 21:40:31

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by Belahzur on 7th December 2008, 9:19 pm

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 14th December 2008, 12:13 am

looks like the trojan is removed, but the popups still remain. I keep getting "Globalad solution" popups all the time. Plus, my computer froze several times yesterday because there's redirect sometimes to this AntiVirus2009 site.

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by Belahzur on 14th December 2008, 12:40 am

Please download DirLook by jpshortstuff from one of the following mirrors:
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
  • Double-click DirLook.exe to run it (Vista Users should right-click and select Run As Administrator...).
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    Code:
    c:\program files\Mozilla Firefox\components

  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\DirLook.txt)
Note: Scanning may take longer for large folders.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 14th December 2008, 12:47 am

DirLook.exe v2.0 by jpshortstuff
Log created at 19:47 on 13/12/2008
==================================
Contents of "c:\program files\Mozilla Firefox\components"

---FOLDERS---

(none found)

---FILES---

aboutRobots.js (2927 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
browser.xpt (348274 bytes - created on 28/06/2008 at 22:58, modified on 13/11/2008 at 07:08) --a---
browserdirprovider.dll (23040 bytes - created on 28/06/2008 at 22:58, modified on 13/11/2008 at 07:08) --a---
brwsrcmp.dll (134656 bytes - created on 28/06/2008 at 22:58, modified on 13/11/2008 at 07:08) --a---
compreg.dat (144875 bytes - created on 02/12/2008 at 03:15, modified on 07/12/2008 at 21:39) --a---
FeedConverter.js (25339 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
FeedProcessor.js (66215 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
FeedWriter.js (49694 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
fuelApplication.js (38238 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
GoogleDesktopMozilla.dll (122880 bytes - created on 29/06/2008 at 18:47, modified on 29/06/2008 at 18:47) --a---
GoogleDesktopMozillaStub.js (25280 bytes - created on 29/06/2008 at 18:47, modified on 29/06/2008 at 18:47) --a---
GoogleDesktopMozillaStub.xpt (3530 bytes - created on 29/06/2008 at 18:47, modified on 29/06/2008 at 18:47) --a---
jsconsole-clhandler.js (1494 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nppl3260.xpt (6789 bytes - created on 14/09/2008 at 15:42, modified on 14/09/2008 at 15:42) --a---
nsAddonRepository.js (11659 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsBadCertHandler.js (3104 bytes - created on 25/09/2008 at 05:33, modified on 25/09/2008 at 05:33) --a---
nsBlocklistService.js (27331 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsBrowserContentHandler.js (32696 bytes - created on 28/06/2008 at 22:58, modified on 29/07/2008 at 04:44) --a---
nsBrowserGlue.js (28799 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
nsContentDispatchChooser.js (5005 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsContentPrefService.js (29973 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsDefaultCLH.js (6247 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsDownloadManagerUI.js (5737 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsExtensionManager.js (333468 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
nsglobaladsolution.dll (640512 bytes - created on 06/12/2008 at 02:30, modified on 02/12/2008 at 16:36) --a---
nsHandlerService.js (51214 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsHelperAppDlg.js (41716 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
nsIQTScriptablePlugin.xpt (2394 bytes - created on 18/10/2008 at 23:47, modified on 18/10/2008 at 23:47) --a---
nsJSRealPlayerPlugin.xpt (556 bytes - created on 14/09/2008 at 15:42, modified on 14/09/2008 at 15:42) --a---
nsLivemarkService.js (36039 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsLoginInfo.js (4302 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsLoginManager.js (44047 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
nsLoginManagerPrompter.js (40367 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsMicrosummaryService.js (77051 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsPlacesTransactionsService.js (33805 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsPostUpdateWin.js (21420 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsProxyAutoConfig.js (13682 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsSafebrowsingApplication.js (25176 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsSearchService.js (110646 bytes - created on 28/06/2008 at 22:58, modified on 13/11/2008 at 07:08) --a---
nsSearchSuggestions.js (24273 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsSessionStartup.js (11428 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsSessionStore.js (75892 bytes - created on 28/06/2008 at 22:58, modified on 13/11/2008 at 07:08) --a---
nsSetDefaultBrowser.js (2854 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsSidebar.js (12513 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsTaggingService.js (9790 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsTryToClose.js (3268 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsUpdateService.js (112848 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
nsUrlClassifierLib.js (50600 bytes - created on 28/06/2008 at 22:58, modified on 29/07/2008 at 04:44) --a---
nsUrlClassifierListManager.js (19984 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
nsURLFormatter.js (3097 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
nsWebHandlerApp.js (6920 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
pluginGlue.js (3142 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
storage-Legacy.js (49926 bytes - created on 28/06/2008 at 22:58, modified on 13/11/2008 at 07:08) --a---
txEXSLTRegExFunctions.js (6667 bytes - created on 28/06/2008 at 22:58, modified on 29/05/2008 at 14:24) --a---
WebContentConverter.js (34011 bytes - created on 28/06/2008 at 22:58, modified on 25/09/2008 at 05:33) --a---
xpti.dat (98206 bytes - created on 02/12/2008 at 03:14, modified on 02/12/2008 at 03:14) --a---

==================================
=EOF=

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by Belahzur on 14th December 2008, 1:01 am

That found it.
Delete this file:
c:\program files\Mozilla Firefox\components\nsglobaladsolution.dll


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 14th December 2008, 1:52 am

Still getting random popups...I think it has to do with this Toolbar called "Yoog Search" that keeps embedding itself in my Firefox

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by Belahzur on 14th December 2008, 2:10 am

Hello.
This is a new tactic the bad guys are using, it's hard to find as you see it hides itself in the Firefox.

Can you try uninstalling Firefox, then re-install it and see what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by fenleyway on 14th December 2008, 7:00 am

It's getting better...I uninstalled firefox, but then popups started coming in through internet explorer. I looked in "Add/remove programs" and found that globaladsolutions had installed itself in a few different ways. I took out most of these programs, but there's one called "Mirar" that won't leave.

fenleyway
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : Windows XP SP3
Points Points : 29300
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G

Post by Doctor Inferno on 17th January 2009, 10:26 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum