Another Trojan.Zlob.G

View previous topic View next topic Go down

Solved Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 3:32 pm

You Probably Heard this before but I get a message saying windows firewall is blocking access to Trojan.Zlob.G Help would be nice.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:10 AM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [nForce Tray Options] "C:\WINDOWS\system32\sstray.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "C:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - [You must be registered and logged in to see this link.] Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O16 - DPF: JT's Blocks - [You must be registered and logged in to see this link.]
O16 - DPF: Tornado 21 - [You must be registered and logged in to see this link.]
O16 - DPF: Video Poker - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Blackjack - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Checkers - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Chess - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Cribbage - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Dice - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Dominoes - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Dots - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Fleet - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Literati - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! MahJong - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! MahJong Solitaire - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Poker - [You must be registered and logged in to see this link.]
O16 - DPF: Yahoo! Pool 2 - [You must be registered and logged in to see this link.]
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {11111111-1111-1111-1111-119601407201} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f12802.exe
O16 - DPF: {2108E348-A0C0-1563-D327-730450CF5E34} (CPlayFirstDDComcastControl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 11878 bytes

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by Belahzur on Sat Dec 06, 2008 3:37 pm

Hello.


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
    O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
    O16 - DPF: {11111111-1111-1111-1111-119601407201} - mhtml:file://C:NO_SUCH_MHT.MHT!http://www.008k.com/partner/inst/f12802.exe


  • Press "Fix Checked"
  • Close Hijack This.



  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:01 pm

ComboFix 08-12-05.06 - Dan 2008-12-06 10:48:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.142 [GMT -5:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MyWay
c:\program files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
c:\program files\MyWay\myBar\1.bin\PARTNER.BMP
c:\program files\MyWay\myBar\1.bin\PARTNER.DAT
c:\program files\MyWay\myBar\1.bin\PARTNER2.DAT
c:\program files\MyWay\myBar\1.bin\PARTNER3.DAT
c:\program files\MyWay\myBar\1.bin\PARTNER4.DAT
c:\program files\MyWay\myBar\1.bin\PARTNER5.DAT
c:\program files\MyWay\myBar\1.bin\PARTNER6.DAT
c:\program files\MyWay\myBar\1.bin\UNINSTALL.INF
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\music\mainmenumusic.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\areabomb.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\beetlezap.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonusrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonustimer.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bucketfilled.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\clearpyramid.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2a.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2b.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2c.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\colorchain.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\dialogbox.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\drumbeat.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\fillrow.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\gateopen.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\helptip.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\powerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\rotateboardleft.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\timerup.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning2.ogg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\artifacts-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\bar.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\circledoor.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\full_screen_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_large.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_small.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hexfield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hidden-artifact_icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\large_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\local-hs-bb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\mainmenu.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\small_dialog.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\textfield.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\trifield.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetletatoo.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\dirt.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpost.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpostovr.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\tritop.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkdown.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkup.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_down.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_over.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_up.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknob.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknobover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderrail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\anwar\look\pl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\bast\look\bl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\kristine\look\kl0001.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\crackedstopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\cursor.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\doorlights.txt
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\jackarmstrong.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\lithos.mvec
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\greybomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\arrowkeys.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\helptip.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\levels\levels.dat
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\disk.mesh

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:01 pm

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\equilateraltriangle.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\flattri.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\pyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\quad.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\rotatingpyramid.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\scarabpanel.mesh
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\p1icon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-0.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-1.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-0-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-1-1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\scorecloud.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\setup.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\areashockwave.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_starter.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_tail.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\flash.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\rubble.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\splash\playfirst_logo.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue0\snake_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\arm01_dirty.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\mask01_1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\statue01_dirty.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\stopper.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timer.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timerglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\timericon.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\tm.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabomb.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabombrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\boardfill.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bricktip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared5.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared6.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye1.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye2.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye3.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye4.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-blue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-bluerollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-green.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-greenrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\red.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\redrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wild.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wildrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellowrollover.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image0.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image1.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image2.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image3.jpg
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\bluebucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\buckettriangle.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chainlink.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chaintip.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\genericbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\greenbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\redbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallblue.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallgreen.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallred.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallyellow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnglow.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnplatform.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\yellowbucket.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\assets\warning.png
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\error.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\game.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\gameover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscore.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoreinfo.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoresubmit.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\instructions.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\leveldesign.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\levelover.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainarcade.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maincontinue.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maingames.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainpuzzle.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\maphelptip.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\options.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\pause.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\quitconfirm.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\start.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\storyplayer.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\style.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\screens\upsell.lua
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\strings.xml
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55\TriJinx.exe
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:02 pm

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 10:17 . 2008-12-06 10:17 d-------- C:\VundoFix Backups
2008-12-06 09:36 . 2008-12-06 09:36 775,168 --a------ c:\windows\isRS-000.tmp
2008-12-06 09:35 . 2008-12-06 09:35 d-------- C:\Binaries
2008-11-29 16:02 . 2008-11-29 16:02 d-------- c:\program files\Stardock
2008-11-29 16:02 . 2008-11-29 16:02 d--h-c--- c:\documents and settings\All Users\Application Data\{72BB8410-8269-4E63-9B72-2C809F27E338}
2008-11-29 15:46 . 2008-11-29 15:51 d-------- c:\documents and settings\Dan\Application Data\Stardock
2008-11-29 15:43 . 2008-11-29 15:43 d-------- c:\documents and settings\All Users\Application Data\Stardock
2008-11-29 15:41 . 2008-11-29 15:41 d-------- c:\program files\Stardock Games
2008-11-25 22:53 . 2008-11-25 22:53 d-------- c:\documents and settings\Dan\Application Data\Unity
2008-11-25 16:44 . 2008-11-25 16:44 d-------- c:\program files\Unity
2008-11-25 08:58 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-16 17:30 . 2008-11-16 17:30 0 --a------ c:\windows\~tmp.INI
2008-11-12 16:02 . 2008-11-12 16:02 29,808 --a------ c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 08:43 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 08:43 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-12-06 14:33 164 ----a-w C:\install.dat
2008-12-06 04:10 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-03 13:06 --------- d-----w c:\program files\Java
2008-11-16 22:30 --------- d-----w c:\program files\Mindscape
2008-11-16 22:29 --------- d-----w c:\program files\EA SPORTS
2008-11-16 22:28 --------- d-----w c:\program files\Microsoft Games
2008-11-16 18:00 --------- d-----w c:\program files\Common Files\3DO Shared
2008-11-16 18:00 --------- d-----w c:\program files\3DO
2008-11-14 03:42 --------- d-----w c:\documents and settings\Dan\Application Data\PlayFirst
2008-11-13 22:11 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-11-12 21:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 21:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 18:10 --------- d-----w c:\documents and settings\Dan\Application Data\Move Networks
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2004-01-23 20:08 761,094 ----a-w c:\program files\noadware.exe
2008-08-21 15:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Smax4"="c:\documents and settings\Dan\Application Data\Google\kjzna1562565.exe" [2008-12-05 124416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="c:\windows\system32\sstray.exe" [2002-11-13 73728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="c:\windows\system32\nwiz.exe" [2007-12-05 1626112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-11-03 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-01 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Yahoo! Games\\Flip Words\\FlipWords.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Yahoo Games!\\Inspector Parker\\Parker.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\poc\\pocxxl\\bin\\pocxxl.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Infogrames Interactive\\Scrabble 2\\Scrabble v2.0.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2003-07-21 85265]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-07-21 9600]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-19 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-19 231704]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\DRIVERS\nvtunep.sys [2003-12-23 20480]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys [2003-12-23 20224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-15 24652]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe" [2008-12-06 1086840]
S0 NVDual;NVDual;c:\windows\system32\DRIVERS\nvDual.sys []
S3 efipsk;efipsk;\??\c:\docume~1\Dan\LOCALS~1\Temp\efipsk.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SSFS0BBC
*Newly Created Service* - WEBROOTSPYSWEEPERSERVICE
*Newly Created Service* - WRCONSUMERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\wrSpySweeper_A71B1237F9FF43D4A44D449D8E604048.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_A71B1237F9FF43D4A44D449D8E604048.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_A71B1237F9FF43D4A44D449D8E604048.job
- a:\","c:\","d:\","e:\" []

2008-12-06 c:\windows\Tasks\wrSpySweeper_LC8E4E32FE1C34B6E80430EC966FDE04A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_LC8E4E32FE1C34B6E80430EC966FDE04A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_LC8E4E32FE1C34B6E80430EC966FDE04A.job
- a:\","c:\","d:\","e:\" []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-wcmdmgr - c:\windows\wt\updater\wcmdmgrl.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearch Bar =
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\DairyDashWeb.1.0.0.12.dll - O16 -: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DairyDashWeb.1.0.0.12.inf

c:\windows\Downloaded Program Files\DDComcast.1.0.0.39.dll - O16 -: {2108E348-A0C0-1563-D327-730450CF5E34}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DDComcast.1.0.0.39.inf

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55.dll - O16 -: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55.inf
FireFox -: Profile - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\qnkxfhex.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-06 10:54:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-06 10:57:50
ComboFix-quarantined-files.txt 2008-12-06 15:56:32

Pre-Run: 8,433,422,336 bytes free
Post-Run: 10,054,008,832 bytes free

441 --- E O F --- 2008-11-12 16:20:13

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:07 pm

Whats next?

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by Belahzur on Sat Dec 06, 2008 4:08 pm

Hello.
I need you to uplad this file in bold:
c:\windows\system32\DRIVERS\ssfs0bbc.sys
To here for a scan
[You must be registered and logged in to see this link.]
Copy and paste the results back here.


Now open a new notepad file.
Input this into the notepad file:

Driver::
efipsk

File::
c:\documents and settings\Dan\Application Data\Google\kjzna1562565.exe

Folder::
C:\VundoFix Backups

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smax4"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:13 pm

File information
File Name : ssfs0bbc.sys
File Size : 29808 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 1097fe3528c825e54c1d52ed8c0eac0f
SHA1 : 07ecf7a8a831a9fa497da88c43277945407034da
Scanner results
Scanner results : All Scanners reported not find malware!
Time : 2008/12/06 11:10:41 (EST)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.27 20081205060110 2008-12-05 - 3.134
AhnLab V3 2008.12.06.01 2008.12.06 2008-12-06 - 1.649
AntiVir 7.9.0.42 7.1.0.195 2008-12-05 - 1.630
Antiy 2.0.18 20081206.1796347 2008-12-06 - 0.118
Arcavir 1.0.5 200811291125 2008-11-29 - 1.230
Authentium 5.1.1 200812061130 2008-12-06 - 1.075
AVAST! 3.0.1 081205-0 2008-12-05 - 0.005
AVG 7.5.52.442 270.9.15/1833 2008-12-05 - 1.790
BitDefender 7.81008.2333073 7.22342 2008-12-06 - 2.182
CA (VET) 9.0.0.143 31.6.6246 2008-12-06 - 5.490
ClamAV 0.94.1 8729 2008-12-06 - 0.011
Comodo 3.0 698 2008-12-06 - 1.759
CP Secure 1.1.0.715 2008.12.05 2008-12-05 - 5.966
Dr.Web 4.44.0.9170 2008.12.06 2008-12-06 - 3.666
ewido 4.0.0.2 2008.12.06 2008-12-06 - 3.472
F-Prot 4.4.4.56 20081206 2008-12-06 - 1.061
F-Secure 5.51.6100 2008.12.05.10 2008-12-05 - 3.841
Fortinet 2.81-3.117 9.785 2008-12-05 - 0.193
GData 19.1812/19.135 20081206 2008-12-06 - 2.740
Ikarus T3.1.01.45 2008.12.06.71965 2008-12-06 - 3.784
JiangMin 11.0.706 2008.12.06 2008-12-06 - 1.595
Kaspersky 5.5.10 2008.12.06 2008-12-06 - 0.036
KingSoft 2008.9.8.18 2008.12.6.22 2008-12-06 - 0.869
McAfee 5.3.00 5455 2008-12-05 - 2.565
Microsoft 1.4205 2008.12.06 2008-12-06 - 3.922
mks_vir 2.01 2008.12.05 2008-12-05 - 2.667
Norman 5.93.01 5.93.00 2008-12-05 - 5.605
nProtect 2008-12-05.00 2742544 2008-12-05 - 3.428
Panda 9.05.01 2008.12.06 2008-12-06 - 3.939
Quick Heal 10.00 2008.12.06 2008-12-06 - 0.865
Rising 20.0 21.06.52.00 2008-12-06 - 0.780
Sophos 2.81.2 4.36 2008-12-06 - 1.953
Sunbelt 4674 4674 2008-11-04 - 0.793
Symantec 1.3.0.24 20081205.008 2008-12-05 - 0.167
The Hacker 6.3.1.2 v00178 2008-12-05 - 0.477
Trend Micro 8.700-1004 5.694.16 2008-12-06 - 0.026
VBA32 3.12.8.10 20081205.0956 2008-12-05 - 1.452
ViRobot 20081206 2008.12.06 2008-12-06 - 0.400
VirusBuster 4.5.11.10 10.94.16/729937 2008-12-05 - 0.936
Note: this file has been scanned before. Therefore, this file's scan result will not be stored in the database

Copy to clipboard

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:38 pm

ComboFix 08-12-05.06 - Dan 2008-12-06 11:17:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.150 [GMT -5:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Dan\Application Data\Google\kjzna1562565.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dan\Application Data\Google\kjzna1562565.exe
C:\VundoFix Backups

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EFIPSK
-------\Service_efipsk


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-06 09:35 . 2008-12-06 09:35 d-------- C:\Binaries
2008-11-29 16:02 . 2008-11-29 16:02 d-------- c:\program files\Stardock
2008-11-29 16:02 . 2008-11-29 16:02 d--h-c--- c:\documents and settings\All Users\Application Data\{72BB8410-8269-4E63-9B72-2C809F27E338}
2008-11-29 15:46 . 2008-11-29 15:51 d-------- c:\documents and settings\Dan\Application Data\Stardock
2008-11-29 15:43 . 2008-11-29 15:43 d-------- c:\documents and settings\All Users\Application Data\Stardock
2008-11-29 15:41 . 2008-11-29 15:41 d-------- c:\program files\Stardock Games
2008-11-25 22:53 . 2008-11-25 22:53 d-------- c:\documents and settings\Dan\Application Data\Unity
2008-11-25 16:44 . 2008-11-25 16:44 d-------- c:\program files\Unity
2008-11-25 08:58 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-16 17:30 . 2008-11-16 17:30 0 --a------ c:\windows\~tmp.INI
2008-11-12 16:02 . 2008-11-12 16:02 29,808 --a------ c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 08:43 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 08:43 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 14:39 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-12-06 14:33 164 ----a-w C:\install.dat
2008-12-06 04:10 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-03 13:06 --------- d-----w c:\program files\Java
2008-11-16 22:30 --------- d-----w c:\program files\Mindscape
2008-11-16 22:29 --------- d-----w c:\program files\EA SPORTS
2008-11-16 22:28 --------- d-----w c:\program files\Microsoft Games
2008-11-16 18:00 --------- d-----w c:\program files\Common Files\3DO Shared
2008-11-16 18:00 --------- d-----w c:\program files\3DO
2008-11-14 03:42 --------- d-----w c:\documents and settings\Dan\Application Data\PlayFirst
2008-11-13 22:11 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-11-12 21:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 21:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-18 18:10 --------- d-----w c:\documents and settings\Dan\Application Data\Move Networks
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2004-01-23 20:08 761,094 ----a-w c:\program files\noadware.exe
2008-08-21 15:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-12-06 16:23:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2b8.dat
+ 2008-12-06 16:24:14 40,960 ----a-w c:\windows\Temp\rtdrvmon.exe
- 2008-12-06 15:54:48 3,330 ----a-w c:\windows\Temp\wrstemp\S-1-5-18.dat
+ 2008-12-06 16:24:39 3,330 ----a-w c:\windows\Temp\wrstemp\S-1-5-18.dat
- 2008-12-06 15:54:48 4,182 ----a-w c:\windows\Temp\wrstemp\S-1-5-19.dat
+ 2008-12-06 16:24:39 4,182 ----a-w c:\windows\Temp\wrstemp\S-1-5-19.dat
- 2008-12-06 15:54:48 4,250 ----a-w c:\windows\Temp\wrstemp\S-1-5-20.dat
+ 2008-12-06 16:24:39 4,250 ----a-w c:\windows\Temp\wrstemp\S-1-5-20.dat
- 2008-12-06 15:54:48 5,018 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1606980848-1425521274-725345543-1003.dat
+ 2008-12-06 16:24:39 5,018 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1606980848-1425521274-725345543-1003.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-11-13 17:04 238968 --a------ c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="c:\windows\system32\sstray.exe" [2002-11-13 73728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="c:\windows\system32\nwiz.exe" [2007-12-05 1626112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-11-03 180269]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-10-18 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-01 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Yahoo! Games\\Flip Words\\FlipWords.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Yahoo Games!\\Inspector Parker\\Parker.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\poc\\pocxxl\\bin\\pocxxl.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Infogrames Interactive\\Scrabble 2\\Scrabble v2.0.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 07\\Updater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ubisoft\\Heroes of Might and Magic V\\bin\\H5_Game.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\si3112r.sys [2003-07-21 85265]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2003-07-21 9600]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2008-11-12 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-19 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-19 231704]
R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\DRIVERS\nvtunep.sys [2003-12-23 20480]
R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\DRIVERS\nvtvsnd.sys [2003-12-23 20224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-01-15 24652]
R2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe" [2008-12-06 1086840]
S0 NVDual;NVDual;c:\windows\system32\DRIVERS\nvDual.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\wrSpySweeper_A71B1237F9FF43D4A44D449D8E604048.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_A71B1237F9FF43D4A44D449D8E604048.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_A71B1237F9FF43D4A44D449D8E604048.job
- a:\","c:\","d:\","e:\" []

2008-12-06 c:\windows\Tasks\wrSpySweeper_LC8E4E32FE1C34B6E80430EC966FDE04A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_LC8E4E32FE1C34B6E80430EC966FDE04A.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-11-13 17:11]

2008-12-06 c:\windows\Tasks\wrSpySweeper_LC8E4E32FE1C34B6E80430EC966FDE04A.job
- a:\","c:\","d:\","e:\" []
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\DairyDashWeb.1.0.0.12.dll - O16 -: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DairyDashWeb.1.0.0.12.inf

c:\windows\Downloaded Program Files\DDComcast.1.0.0.39.dll - O16 -: {2108E348-A0C0-1563-D327-730450CF5E34}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DDComcast.1.0.0.39.inf

c:\windows\Downloaded Program Files\TriJinx.1.0.0.55.dll - O16 -: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\TriJinx.1.0.0.55.inf
FireFox -: Profile - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\qnkxfhex.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-06 11:23:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(212)
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-12-06 11:36:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 16:36:20
ComboFix2.txt 2008-12-06 15:57:53

Pre-Run: 10,032,820,224 bytes free
Post-Run: 9,957,158,912 bytes free

226 --- E O F --- 2008-11-12 16:20:13

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:38 pm

whats next?

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by Belahzur on Sat Dec 06, 2008 4:39 pm

Looks good now, have the false alerts stopped?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:40 pm

its looks like it thanks?

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by drieder93 on Sat Dec 06, 2008 4:41 pm

i doesn't seem like it should have been this easy

drieder93
Novice
Novice

Posts Posts : 10
Joined Joined : 2008-12-06
OS OS : windows XP
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by Belahzur on Sat Dec 06, 2008 4:43 pm

Hello.
Yes, sometimes it's not this easy, but I guess you got lucky.

Delete this folder:
C:\Qoobox


We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another Trojan.Zlob.G

Post by Doctor Inferno on Tue Dec 23, 2008 3:27 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum