Trojan.Zlob.G Please Help

View previous topic View next topic Go down

Trojan.Zlob.G Please Help

Post by samarakhan on 7th December 2008, 11:42 am

Hello, yet another guy with trojan.zlob.g. The Security Center Alert pops up and said it blocked Trojan.Zlob.G.
I cannot open IE or Firefox, and if it does open, it closes within a few seconds. I would appreciate your help. I am on another computer now.
Thank you.

samarakhan
Novice
Novice

Posts Posts : 17
Joined Joined : 2008-12-07
OS OS : Windows XP Professional SP3
Points Points : 29246
# Likes # Likes : 0

View user profile

Back to top Go down

combofix

Post by samarakhan on 7th December 2008, 11:53 am

after reading through some solution to this problem in the forum, i ran combofix.
this is the log:

ComboFix 08-12-06.06 - BILLY 2008-12-07 11:33:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1293 [GMT 0:00]
Running from: K:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\BILLY\Application Data\Google\kjzna1562565.exe
d:\documents and settings\BILLY\My Documents\Online Security Guide.url
d:\documents and settings\BILLY\My Documents\Security Troubleshooting.url
I:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-11-30 21:53 . 2008-11-30 21:54 d-------- d:\program files\iTunes
2008-11-30 21:53 . 2008-11-30 21:53 d-------- d:\program files\iPod
2008-11-30 21:53 . 2008-11-30 21:54 d-------- d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-30 21:51 . 2008-11-30 21:52 d-------- d:\program files\QuickTime
2008-11-22 19:37 . 2008-11-22 19:37 d-------- d:\program files\Sierra Entertainment
2008-11-20 20:44 . 2008-11-20 20:44 42,320 --a------ d:\windows\system32\xfcodec.dll
2008-11-16 18:37 . 2008-11-16 18:37 d-------- d:\documents and settings\LocalService\Application Data\agi
2008-11-16 18:37 . 2008-11-16 18:37 2,117,632 --a------ d:\windows\system32\python25.dll
2008-11-16 18:37 . 2008-09-16 16:26 1,332,197 --a------ d:\windows\system32\pythondll.zip
2008-11-16 18:37 . 2008-11-16 18:37 339,968 --a------ d:\windows\system32\pythoncom25.dll
2008-11-16 18:37 . 2008-11-16 18:37 114,688 --a------ d:\windows\system32\pywintypes25.dll
2008-11-12 16:46 . 2008-09-04 17:15 1,106,944 -----c--- d:\windows\system32\dllcache\msxml3.dll
2008-11-12 16:41 . 2008-10-24 11:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 11:37 --------- d-----w d:\documents and settings\All Users\Application Data\Kontiki
2008-12-07 11:30 --------- d-----w d:\documents and settings\BILLY\Application Data\DNA
2008-12-07 10:44 --------- d-----w d:\documents and settings\BILLY\Application Data\LimeWire
2008-12-07 10:27 --------- d-----w d:\documents and settings\All Users\Application Data\Google Updater
2008-12-07 10:13 --------- d-----w d:\program files\Common Files\Symantec Shared
2008-12-06 10:40 --------- d-----w d:\documents and settings\BILLY\Application Data\InstallShield
2008-12-06 10:40 --------- d-----w d:\documents and settings\BILLY\Application Data\BitTorrent
2008-12-06 10:40 --------- d-----w d:\documents and settings\BILLY\Application Data\Apple Computer
2008-12-04 19:00 --------- d-----w d:\program files\Xfire
2008-11-30 21:53 --------- d-----w d:\program files\Common Files\Apple
2008-11-30 21:43 --------- d-----w d:\program files\Safari
2008-11-29 20:00 137,480 ----a-w d:\windows\system32\drivers\PnkBstrK.sys
2008-11-29 19:59 183,120 ----a-w d:\windows\system32\PnkBstrB.exe
2008-11-25 16:15 --------- d-----w d:\documents and settings\BILLY\Application Data\Xfire
2008-11-22 19:35 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-16 19:44 --------- d-----w d:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-16 18:53 --------- d-----w d:\program files\Messenger Plus! Live
2008-11-15 20:04 --------- d-----w d:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-07 14:23 32,000 ----a-w d:\windows\system32\drivers\usbaapl.sys
2008-10-24 11:21 455,296 ----a-w d:\windows\system32\drivers\mrxsmb.sys
2008-10-23 18:58 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-10-23 18:58 --------- d-----w d:\program files\AGEIA Technologies
2008-10-23 18:34 66,872 ----a-w d:\windows\system32\PnkBstrA.exe
2008-10-23 18:34 22,328 ----a-w d:\documents and settings\BILLY\Application Data\PnkBstrK.sys
2008-10-23 18:34 2,250,024 ----a-w d:\windows\system32\pbsvc.exe
2008-10-23 18:29 --------- d-----w d:\program files\Ubisoft
2008-10-16 14:13 202,776 ----a-w d:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w d:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w d:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w d:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w d:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w d:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w d:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w d:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w d:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w d:\windows\system32\muweb.dll
2008-10-02 09:07 453,152 ----a-w d:\windows\system32\NVUNINST.EXE
2008-09-22 20:05 107,888 ----a-w d:\windows\system32\CmdLineExt.dll
2008-09-22 17:26 6,242 ----a-w d:\windows\system32\ealregsnapshot1.reg
2008-09-15 12:12 1,846,400 ----a-w d:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w d:\windows\system32\msxml6.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="d:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Comrade.exe"="d:\program files\GameSpy\Comrade\Comrade.exe" [2007-06-29 36864]
"BitTorrent DNA"="d:\program files\DNA\btdna.exe" [2008-08-24 289088]
"kdx"="d:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"EA Core"="d:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
"AdobeUpdater"="d:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-07 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"ccApp"="d:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="d:\program files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"TkBellExe"="d:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-24 185896]
"SunJavaUpdateSched"="d:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"4oD"="d:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"dvd43"="d:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"PrintServer Diagnostic"="d:\program files\Print Server\PTP\PSDiagnostic.exe" [2004-11-24 266240]
"AppleSyncNotifier"="d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 d:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-10-07 d:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 d:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\BILLY\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - d:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
OneNote Table Of Contents.onetoc2 [2008-08-30 3656]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - d:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-01 113664]
Belkin Wireless Networking Utility.lnk - d:\program files\Belkin\F5D8051v2\Belkinwcui.exe [2008-08-24 1576960]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-24 805392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 d:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"d:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\DNA\\btdna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Kontiki\\KService.exe"=
"d:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"d:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"d:\\Program Files\\Xfire\\xfire.exe"=
"d:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"d:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"d:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\d:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
S3 COH_Mon;COH_Mon;\??\d:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-05 d:\windows\Tasks\Norton Internet Security - Run Full System Scan - BILLY.job
- d:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 05:05]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Smax4 - d:\documents and settings\BILLY\Application Data\Google\kjzna1562565.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

d:\windows\Downloaded Program Files\InstallerControl.dll - O16 -: CabBuilder
[You must be registered and logged in to see this link.]
d:\windows\Downloaded Program Files\OSDC5.OSD
FireFox -: Profile - d:\documents and settings\BILLY\Application Data\Mozilla\Firefox\Profiles\unsnwna2.default\
FF -: plugin - c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - d:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - d:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - d:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF -: plugin - d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 11:37:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
d:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
d:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2008-12-07 11:38:52
ComboFix-quarantined-files.txt 2008-12-07 11:38:38

Pre-Run: 53,768,531,968 bytes free
Post-Run: 55,059,988,480 bytes free

208 --- E O F --- 2008-11-13 19:46:14

samarakhan
Novice
Novice

Posts Posts : 17
Joined Joined : 2008-12-07
OS OS : Windows XP Professional SP3
Points Points : 29246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Zlob.G Please Help

Post by Belahzur on 7th December 2008, 2:27 pm

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan.Zlob.G Please Help

Post by samarakhan on 7th December 2008, 2:30 pm

the problem seems to have disapeared, i havnt rebooted since the scan was run, however there are not any notible effects at present. i am concerned that the registry is still affected, and the problem will reoccur when i reboot. is there any way to check?

samarakhan
Novice
Novice

Posts Posts : 17
Joined Joined : 2008-12-07
OS OS : Windows XP Professional SP3
Points Points : 29246
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan.Zlob.G Please Help

Post by Belahzur on 7th December 2008, 2:40 pm

Hello.
No, the registry is fine, there's no more run value from the problem. It should be fine now

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan.Zlob.G Please Help

Post by Doctor Inferno on 24th December 2008, 9:40 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum