Another trojan.zlob.g help request

View previous topic View next topic Go down

Solved Another trojan.zlob.g help request

Post by Stogie on Sun Dec 07, 2008 3:48 pm

Hi there,

I'm having all the same issues the other people who have this trojan are having and can't seem to find a way to remove it. So I'm hoping you can help. Here is the information from the infected PC:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:52 AM, on 07/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
F:\HiJack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Picaboo.lnk = C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - [You must be registered and logged in to see this link.]
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 10980 bytes

Uninstall file to follow..

Stogie
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : Vista
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Stogie on Sun Dec 07, 2008 3:48 pm

The uinstall file is:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
AC3Filter (remove only)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
AppCore
Apple Mobile Device Support
Apple Software Update
AV
ccCommon
Cisco Systems VPN Client 5.0.00.0340
ClamWin Free Antivirus 0.94.1
ESU for Microsoft Vista
ffdshow [rev 1324] [2007-07-01]
FitDay PC version 1.0
GearDrvs
GearDrvs
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.0
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.2
HP Update
HP User Guides 0057
HP Wireless Assistant
HPNetworkAssistant
Intel Matrix Storage Manager
IrfanView (remove only)
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Motorola SM56 Data Fax Modem
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.0
My HP Games
Nero 8 Trial
neroxml
Norton 360
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NVIDIA Drivers
OpenOffice.org Installer 1.0
Picaboo 2.0.406
Picasa 3
Pure Networks Network Magic
QuickTax 2007
QuickTime
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Visio 2007 (KB947590)
SPBBC 32bit
SuppSoft
Symantec Technical Support Controls
SymNet
Synaptics Pointing Device Driver
The Rosetta Stone
TVersity Codec Pack 1.2
TVersity Media Server 1.0.0.7 RC4
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
VCRedistSetup
Winamp
Windows Live Messenger
WinRAR archiver
Xvid 1.1.3 final uninstall

Any help would be appreciated!

Stogie

Stogie
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : Vista
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Belahzur on Sun Dec 07, 2008 4:02 pm

Hello.

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Stogie on Sun Dec 07, 2008 5:03 pm

Here is the CF log file part 1..

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 19:51 . 2008-12-06 19:55 d-------- c:\users\York III\AppData\Roaming\.clamwin
2008-12-06 19:50 . 2008-12-06 19:51 d-------- c:\users\All Users\.clamwin
2008-12-06 19:50 . 2008-12-06 19:51 d-------- c:\programdata\.clamwin
2008-12-06 19:50 . 2008-12-06 19:51 d-------- c:\program files\ClamWin
2008-12-06 13:52 . 2008-12-07 10:28 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 13:52 . 2008-12-06 13:52 1,409 --a------ c:\windows\QTFont.for
2008-11-26 19:43 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-26 19:43 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-26 19:43 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-26 19:43 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-26 19:42 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-26 19:42 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-26 19:42 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-26 19:42 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-26 19:42 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-25 20:50 . 2008-10-21 00:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 20:50 . 2008-08-27 22:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 20:50 . 2008-08-27 22:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 20:50 . 2008-08-27 22:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 20:50 . 2008-10-21 22:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 20:50 . 2008-10-21 22:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-25 20:50 . 2008-10-21 22:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-13 18:38 . 2008-09-09 22:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-11-13 18:38 . 2008-09-04 23:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-11-13 18:38 . 2008-08-25 20:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-13 18:38 . 2008-09-09 22:21 2,048 --a------ c:\windows\System32\msxml6r.dll
2008-11-13 18:38 . 2008-09-04 23:45 2,048 --a------ c:\windows\System32\msxml3r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 16:47 --------- d-----w c:\users\York III\AppData\Roaming\DNA
2008-12-07 16:35 --------- d-----w c:\programdata\Symantec
2008-12-07 15:27 --------- d-----w c:\program files\DNA
2008-12-07 14:58 --------- d-----w c:\program files\Norton 360
2008-12-06 02:19 --------- d-----w c:\users\York III\AppData\Roaming\BitTorrent
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\Hewlett-Packard
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\GTek
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\CyberLink
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\Apple Computer
2008-12-01 23:58 --------- d-----w c:\programdata\Roxio
2008-11-23 08:01 --------- d-----w c:\programdata\Microsoft Help
2008-11-09 02:06 --------- d-----w c:\program files\Common Files\Adobe
2008-11-09 00:58 --------- d-----w c:\program files\TVersity Codec Pack
2008-10-30 01:16 --------- d-----w c:\users\York III\AppData\Roaming\Picaboo
2008-10-30 01:14 --------- d-----w c:\program files\Picaboo
2008-10-29 23:04 --------- d-----w c:\program files\Google
2008-10-29 23:04 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-10-24 00:18 2,302,017 ----a-w c:\windows\System32\GPhotos.scr
2008-10-17 23:51 --------- d-----w c:\users\York III\AppData\Roaming\IrfanView
2008-10-17 23:51 --------- d-----w c:\program files\IrfanView
2008-10-15 23:38 --------- d-----w c:\program files\Windows Mail
2008-10-07 00:08 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-07-10 07:10 174 --sha-w c:\program files\desktop.ini
2008-05-11 21:07 67,068 ----a-w c:\users\York III\AppData\Roaming\nvModes.dat
2008-08-12 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-08-12 00:02 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-08-12 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-12-29 22:27 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-29 22:27 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-29 22:27 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

Stogie
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : Vista
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Stogie on Sun Dec 07, 2008 5:04 pm

Here is the CF log part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-12-13 103720]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-06 171448]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-11 342336]
"Smax4v"="c:\users\York III\AppData\Roaming\Google\windep.exe" [2008-12-05 128000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1021224]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-10-16 1029664]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-14 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 116072]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

c:\users\York III\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2008-02-28 577536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-08-11 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7D6CFE7C-4259-4FD3-9BC8-0D6EDEAA41BF}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{6B57BF12-8752-405D-A53A-96EDCC10F828}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8D40834E-D1AF-47CB-84AB-EA35FC76E25E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1A43DBB1-E088-42CC-A9F7-89B79FBA9DBF}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{481B5365-281D-4ACF-8A30-BE1A5D05B7D9}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{01B07BAB-9EA1-4B92-A88D-C15C16BD363A}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{E2667968-3B5F-4040-88B5-ECB448859405}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"TCP Query User{B1C024BA-DED4-4D6F-AB44-A9A2CF33F047}c:\\users\\york iii\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\york iii\program files\bittorrent_dna\dna.exe:dna.exe
"UDP Query User{326388A6-AD16-41D7-88CF-2AB82FB32010}c:\\users\\york iii\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\york iii\program files\bittorrent_dna\dna.exe:dna.exe
"TCP Query User{8DCA07E2-7C80-4A0D-A320-73C96812E532}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{A98F8811-FC40-4280-8077-6FAC687BA1ED}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"{72895D4A-2FC2-476B-9DC2-E58D9E81A816}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E7D56101-0839-4ED8-9E89-392480B4A493}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{397948FB-0E1C-48C2-A8E7-5A420CADF37D}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{3BB4F7FC-3326-484E-AD26-31DE434EAE18}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{D4908AE0-18E3-4465-822D-7E8CC9D6D614}"= TCP:67:DHCP Discovery Service
"{226B576A-75E4-40AF-B809-CD49C8AD5B93}"= TCP:67:DHCP Discovery Service
"{C12CCE08-0B7C-4815-89CB-F02260C41F0C}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{BF3B2A09-D8E8-40CB-B850-7E991018936A}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{DF53E9AC-C8C2-44B3-8D1D-AD13F866E8D5}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{933FABE5-D53B-4F51-B685-D285AEDA6B27}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{E3C3ED52-46BC-43AB-B55C-94A7DF603510}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{9600E8B8-BCA5-4586-A7F1-49655B62DB2A}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{61B8173C-A52A-4F4E-B7FD-B496308A2FAB}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{AEE5C5F6-D00C-48B3-B262-00D314FBDD47}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{E4FB969A-4DCF-446F-A0D7-AEF62AB8CC8C}"= UDP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{494038A5-D1C8-4247-8389-C16AE250BEDB}"= TCP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{841B77F4-D479-4DEB-A580-1C92824E7805}"= UDP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{2A701CDA-4AF0-4392-BBB0-87156C0040A8}"= TCP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{31C3A048-384A-4486-8EBD-B6595719DAA4}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{8B710016-CE52-49A7-BE7F-38DDDD07FE26}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{CD105B34-EF0E-4681-83DA-08EA46F4710B}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{CBD4683C-C272-4302-8814-FC0FB6AC6C1A}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20081203.001\IDSvix86.sys [2008-12-05 270384]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 38200]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 11:55:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-12-07 11:58:18
ComboFix-quarantined-files.txt 2008-12-07 16:56:59

Pre-Run: 25,476,354,048 bytes free
Post-Run: 25,559,752,704 bytes free

197 --- E O F --- 2008-12-05 00:53:52

Stogie
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : Vista
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Belahzur on Sun Dec 07, 2008 5:11 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\users\York III\AppData\Roaming\Google\windep.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smax4v"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Stogie on Sun Dec 07, 2008 5:32 pm

Updated CF log part 1..

ComboFix 08-12-06.06 - York III 2008-12-07 12:19:54.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1085 [GMT -5:00]
Running from: c:\users\York III\Desktop\ComboFix.exe
Command switches used :: c:\users\York III\Desktop\CFscript.txt

FILE ::
c:\users\York III\AppData\Roaming\Google\windep.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\York III\AppData\Roaming\Google\windep.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 19:51 . 2008-12-06 19:55 d-------- c:\users\York III\AppData\Roaming\.clamwin
2008-12-06 19:50 . 2008-12-06 19:51 d-------- c:\users\All Users\.clamwin
2008-12-06 19:50 . 2008-12-06 19:51 d-------- c:\programdata\.clamwin
2008-12-06 19:50 . 2008-12-06 19:51 d-------- c:\program files\ClamWin
2008-12-06 13:52 . 2008-12-07 12:15 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 13:52 . 2008-12-06 13:52 1,409 --a------ c:\windows\QTFont.for
2008-11-26 19:43 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-26 19:43 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-26 19:43 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-26 19:43 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-26 19:42 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-26 19:42 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-26 19:42 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-26 19:42 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-26 19:42 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-25 20:50 . 2008-10-21 00:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 20:50 . 2008-08-27 22:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 20:50 . 2008-08-27 22:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 20:50 . 2008-08-27 22:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 20:50 . 2008-10-21 22:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 20:50 . 2008-10-21 22:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-25 20:50 . 2008-10-21 22:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-13 18:38 . 2008-09-09 22:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-11-13 18:38 . 2008-09-04 23:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-11-13 18:38 . 2008-08-25 20:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-13 18:38 . 2008-09-09 22:21 2,048 --a------ c:\windows\System32\msxml6r.dll
2008-11-13 18:38 . 2008-09-04 23:45 2,048 --a------ c:\windows\System32\msxml3r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 17:25 --------- d-----w c:\users\York III\AppData\Roaming\DNA
2008-12-07 17:15 --------- d-----w c:\program files\DNA
2008-12-07 16:35 --------- d-----w c:\programdata\Symantec
2008-12-07 14:58 --------- d-----w c:\program files\Norton 360
2008-12-06 02:19 --------- d-----w c:\users\York III\AppData\Roaming\BitTorrent
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\Hewlett-Packard
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\GTek
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\CyberLink
2008-12-05 23:43 --------- d-----w c:\users\York III\AppData\Roaming\Apple Computer
2008-12-01 23:58 --------- d-----w c:\programdata\Roxio
2008-11-23 08:01 --------- d-----w c:\programdata\Microsoft Help
2008-11-09 02:06 --------- d-----w c:\program files\Common Files\Adobe
2008-11-09 00:58 --------- d-----w c:\program files\TVersity Codec Pack
2008-10-30 01:16 --------- d-----w c:\users\York III\AppData\Roaming\Picaboo
2008-10-30 01:14 --------- d-----w c:\program files\Picaboo
2008-10-29 23:04 --------- d-----w c:\program files\Google
2008-10-29 23:04 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-10-24 00:18 2,302,017 ----a-w c:\windows\System32\GPhotos.scr
2008-10-17 23:51 --------- d-----w c:\users\York III\AppData\Roaming\IrfanView
2008-10-17 23:51 --------- d-----w c:\program files\IrfanView
2008-10-15 23:38 --------- d-----w c:\program files\Windows Mail
2008-10-07 00:08 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-07-10 07:10 174 --sha-w c:\program files\desktop.ini
2008-05-11 21:07 67,068 ----a-w c:\users\York III\AppData\Roaming\nvModes.dat
2008-08-12 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-08-12 00:02 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-08-12 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-12-29 22:27 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-29 22:27 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-29 22:27 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

Stogie
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : Vista
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Stogie on Sun Dec 07, 2008 5:33 pm

Updated CF log part 2..

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 14:37:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-07 17:14:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-07 14:37:55 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-07 17:14:46 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-07 16:55:22 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-07 17:18:51 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-12-07 17:18:51 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-12-07 16:55:16 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-07 17:18:46 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-12-07 17:18:46 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-12-07 15:41:43 108,526 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-07 17:22:07 108,526 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-07 15:41:43 623,342 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-07 17:22:07 623,342 ----a-w c:\windows\System32\perfh009.dat
- 2008-12-07 00:52:56 8,970 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2562604416-1981613302-3698921906-1000_UserData.bin
+ 2008-12-07 17:19:27 8,970 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2562604416-1981613302-3698921906-1000_UserData.bin
- 2008-12-07 00:52:56 70,848 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-07 17:19:27 70,966 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-12-13 103720]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-06 171448]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-11 342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1021224]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2006-10-16 1029664]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-14 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 116072]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2008-11-09 86016]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

c:\users\York III\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2008-02-28 577536]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-08-11 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7D6CFE7C-4259-4FD3-9BC8-0D6EDEAA41BF}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{6B57BF12-8752-405D-A53A-96EDCC10F828}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8D40834E-D1AF-47CB-84AB-EA35FC76E25E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1A43DBB1-E088-42CC-A9F7-89B79FBA9DBF}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{481B5365-281D-4ACF-8A30-BE1A5D05B7D9}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{01B07BAB-9EA1-4B92-A88D-C15C16BD363A}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{E2667968-3B5F-4040-88B5-ECB448859405}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"TCP Query User{B1C024BA-DED4-4D6F-AB44-A9A2CF33F047}c:\\users\\york iii\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\york iii\program files\bittorrent_dna\dna.exe:dna.exe
"UDP Query User{326388A6-AD16-41D7-88CF-2AB82FB32010}c:\\users\\york iii\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\york iii\program files\bittorrent_dna\dna.exe:dna.exe
"TCP Query User{8DCA07E2-7C80-4A0D-A320-73C96812E532}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{A98F8811-FC40-4280-8077-6FAC687BA1ED}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"{72895D4A-2FC2-476B-9DC2-E58D9E81A816}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E7D56101-0839-4ED8-9E89-392480B4A493}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{397948FB-0E1C-48C2-A8E7-5A420CADF37D}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{3BB4F7FC-3326-484E-AD26-31DE434EAE18}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{D4908AE0-18E3-4465-822D-7E8CC9D6D614}"= TCP:67:DHCP Discovery Service
"{226B576A-75E4-40AF-B809-CD49C8AD5B93}"= TCP:67:DHCP Discovery Service
"{C12CCE08-0B7C-4815-89CB-F02260C41F0C}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{BF3B2A09-D8E8-40CB-B850-7E991018936A}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{DF53E9AC-C8C2-44B3-8D1D-AD13F866E8D5}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{933FABE5-D53B-4F51-B685-D285AEDA6B27}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{E3C3ED52-46BC-43AB-B55C-94A7DF603510}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{9600E8B8-BCA5-4586-A7F1-49655B62DB2A}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{61B8173C-A52A-4F4E-B7FD-B496308A2FAB}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{AEE5C5F6-D00C-48B3-B262-00D314FBDD47}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)
"{E4FB969A-4DCF-446F-A0D7-AEF62AB8CC8C}"= UDP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{494038A5-D1C8-4247-8389-C16AE250BEDB}"= TCP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{841B77F4-D479-4DEB-A580-1C92824E7805}"= UDP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{2A701CDA-4AF0-4392-BBB0-87156C0040A8}"= TCP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{31C3A048-384A-4486-8EBD-B6595719DAA4}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{8B710016-CE52-49A7-BE7F-38DDDD07FE26}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{CD105B34-EF0E-4681-83DA-08EA46F4710B}"= UDP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{CBD4683C-C272-4302-8814-FC0FB6AC6C1A}"= TCP:c:\program files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20081203.001\IDSvix86.sys [2008-12-05 270384]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 38200]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe

*Newly Created Service* - COMHOST
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 12:25:57
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-07 12:27:36
ComboFix-quarantined-files.txt 2008-12-07 17:27:05
ComboFix2.txt 2008-12-07 16:58:27

Pre-Run: 25,265,733,632 bytes free
Post-Run: 25,239,515,136 bytes free

224 --- E O F --- 2008-12-05 00:53:52

Stogie
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : Vista
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Belahzur on Sun Dec 07, 2008 5:40 pm

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Stogie on Sun Dec 07, 2008 5:46 pm

No more problems! Thank you so much for your help!

Thank You!

Stogie
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : Vista
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Belahzur on Sun Dec 07, 2008 5:47 pm

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Another trojan.zlob.g help request

Post by Doctor Inferno on Fri Dec 26, 2008 4:28 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum