Me too...Trojan.Zlob.G

View previous topic View next topic Go down

Solved Me too...Trojan.Zlob.G

Post by itsatrap on 7th December 2008, 8:11 pm

My computer got the flu with this bugger last night. Residently-running full retail Zone Alarm does not see it or detect it, nor does Ad-Aware or SpyBot. (even with multiple manual scans...nothing) I get the pop up every few minutes saying your computer has Trojan Zlob.G and click here to get full protection, yadda, yadda. All browsers crash after a few seconds (if not immediately).. IE7, Firefox 3.0.4, Safari. Here is my HIJACKTHIS.LOG.

===================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:27 AM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\cmd.exe
C:\hijackthis\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 13734 bytes

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved My UNINSTALL_LIST.TXT

Post by itsatrap on 7th December 2008, 8:13 pm

Here is my UNINSTALL_LIST.TXT as well, below.

==================================================

@BIOS B06.0601.01
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Acrobat.com
ActivePerl 5.10.0 Build 1003
ActivePerl 5.10.0 Build 1004
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9
AIM 6
Angband 3.0.6
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 7.21
Ashampoo Burning Studio 8.04
Audacity 1.2.6
Audacity 1.3.4
Audacity 1.3.5 (Unicode)
AutoCAD 2009 - English
AutoCAD 2009 - English Version 3
Autodesk DWF Viewer 7
Avanquest update
BCWipe 3.0
Bonjour
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner (remove only)
ChessTiger 15
Convert
Core FTP LE 1.3c
Corel WinDVD 9
CyberLink PowerDVD 8
Dassault Systemes Software Prerequisites x86
DigiTech RP350 Drivers
DigiTech RP350 Drivers
DigiTech X-Edit 2.4.1
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DMIView
Duplicate File Finder
EA Download Manager
EA SPORTS online 2007
ETC B06.0809.01
EVEREST Ultimate Edition v4.50
File Wipe Pro 2.0
Finale 2007
FLV Player 1.3.3
Folding@Home
Full Tilt Poker
Futuremark Measurement Services Client
Garmin Communicator Plugin
Garmin MapSource
Garmin TOPO U.S. 2008
Garmin Trip and Waypoint Manager v4
Garritan Ambiance Installer
GeoPDF Toolbar
Gigabyte Raid Configurer
GlassFish v3 Prelude b15b
Google Earth
Google Earth Pro
Google Updater
GPSU File Converter v1.25
GPSU version 4.98
Guitar Pro 5.2
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2100 series
hp psc 2100 series
i-Cool
ImgBurn
IrfanView (remove only)
iTunes
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9.01 - (9.0.1.1)
Jasc Paint Shop Pro 9.01 Patch
Java DB 10.4.1.3
Java(TM) 6 Update 11
Java(TM) SE Development Kit 6 Update 10
jEdit 4.3pre13
LimeWire PRO 4.18.8
Lizardtech DjVu Control (autoinstall)
Magic ISO Maker v5.4 (build 0256)
MagicDisc 2.6.93
MahJong Suite 2008 v5.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Location Finder
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (3.0.4)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Musicnotes Player V1.23.1
Musitek SmartScore X Professional Edition v10.0.1
Native Instruments Finale GPO 2.0
Nero Suite
NetBeans IDE 6.5
NetBeans IDE 6.5 RC1
NetGammon8
NewsBin Pro
NVIDIA Drivers
NVIDIA nTune
OpenOffice.org 2.4
PokerStars.net
Prime95
QuickCam Drivers
QuickPar 0.9
QuickTime
Realtek High Definition Audio Driver
Reasonable NoClone 2007 Enterprise
Rio Internet Update
Rio Music Manager
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Skype™ 3.2
SmartMusic 9
SmartScore X Professional Edition Demo
SpeedFan (remove only)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SwordSearcher 5
SwordSearcher Library Modules from SSModules.com
SwordSearcher User Module from wsbones
System Requirements Lab
The Second Coming of Christ (Larkin) SwordSearcher 5
Thermal Analysis Tool
Tiger Woods PGA TOUR 07
TrackMania Nations ESWC 1.7.9
TVUPlayer 2.3.6.1
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb957829)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VC 9.0 Runtime
Viewpoint Media Player
Virtual Cable Tester
Virtual Earth - 3DVIA (Beta)
Virtual Earth 3D (Beta)
Windows Imaging Component
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WorshipLeaderAssistant.com Viewer
Yahoo! Messenger
ZoneAlarm Security Suite

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Me too...Trojan.Zlob.G

Post by Belahzur on 7th December 2008, 9:10 pm

Hello.



  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved COMBOFIX.TXT Part 1

Post by itsatrap on 8th December 2008, 3:16 am

ComboFix 08-12-06.06 - tasm 2008-12-07 20:29:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1344 [GMT -6:00]
Running from: c:\documents and settings\tasm\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.bat
c:\documents and settings\tasm\Application Data\Google\kjzna1562565.exe
c:\windows\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 00:45 . 2008-12-07 00:50 d-------- C:\hijackthis
2008-12-03 22:25 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-27 10:34 . 2008-11-27 10:34 d-------- c:\program files\iPod
2008-11-27 10:33 . 2008-11-27 10:34 d-------- c:\program files\iTunes
2008-11-27 10:33 . 2008-11-27 10:34 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-27 10:28 . 2008-11-27 10:29 d-------- c:\program files\QuickTime
2008-11-21 21:06 . 2008-11-21 21:08 d-------- c:\program files\NetBeans 6.5
2008-11-17 08:53 . 2008-11-17 08:53 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-12 23:56 . 2008-11-12 23:56 d-------- c:\documents and settings\tasm\Application Data\Yahoo!
2008-11-11 19:27 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:26 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 02:31 167,693,600 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-08 02:08 --------- d-----w c:\documents and settings\tasm\Application Data\OpenOffice.org2
2008-12-08 02:01 2,227,520 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-08 01:59 --------- d-----w c:\documents and settings\tasm\Application Data\SwordSearcher 5
2008-12-07 07:08 --------- d-----w c:\program files\SwordSearcher 5
2008-12-07 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-07 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 03:46 --------- d-----w c:\documents and settings\tasm\Application Data\NewsBin
2008-12-07 03:45 --------- d-----w c:\program files\uTorrent
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\uTorrent
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\Apple Computer
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\Ahead
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\AdobeUM
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\ACD Systems
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\acccore
2008-12-07 03:43 --------- d-----w c:\documents and settings\tasm\Application Data\Ashampoo
2008-12-07 03:35 --------- d-----w c:\program files\Ashampoo
2008-12-07 02:04 --------- d-----w c:\documents and settings\tasm\Application Data\LimeWire
2008-12-07 01:44 --------- d-----w c:\program files\LimeWire
2008-12-04 04:25 --------- d-----w c:\program files\Java
2008-11-29 22:42 24,241,841 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-27 16:33 --------- d-----w c:\program files\Common Files\Apple
2008-11-27 16:15 --------- d-----w c:\program files\Safari
2008-11-21 13:17 --------- d-----w c:\program files\DivX
2008-11-18 01:49 --------- d-----w c:\program files\AIM6
2008-11-17 14:54 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-17 14:49 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-14 00:45 --------- d-----w c:\program files\Yahoo!
2008-11-13 12:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-13 12:17 --------- d-----w c:\program files\Folding@Home
2008-11-13 12:15 70,991 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_11_13_06_12_26_small.dmp.zip
2008-11-13 12:15 53,163 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_11_13_06_12_22_small.dmp.zip
2008-11-12 09:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 11:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-05 04:51 --------- d-----w c:\program files\Google
2008-11-04 02:50 --------- d-----w c:\program files\TrackMania Nations ESWC
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-28 06:14 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-28 06:14 --------- d-----w c:\program files\AutoCAD 2009
2008-10-28 06:02 --------- d-----w c:\documents and settings\tasm\Application Data\Skype
2008-10-27 13:26 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-10-27 13:22 --------- d-----w c:\documents and settings\tasm\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-27 08:01 --------- d-----w c:\program files\Virtual Earth 3D
2008-10-27 05:45 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-10-27 05:33 --------- d-----w c:\documents and settings\tasm\Application Data\Audacity
2008-10-27 05:30 --------- d-----w c:\program files\PokerStars.NET
2008-10-27 05:20 --------- d-----w c:\program files\Full Tilt Poker
2008-10-27 05:17 --------- d-----w c:\program files\Common Files\Adobe
2008-10-27 05:01 --------- d-----w c:\documents and settings\tasm\Application Data\CoreFTP
2008-10-27 04:22 --------- d-----w c:\documents and settings\tasm\Application Data\MailFrontier
2008-10-25 05:15 --------- d-----w c:\program files\GPS Utility
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 08:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-23 07:39 --------- d-----w c:\program files\eclipse
2008-10-23 07:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 06:30 --------- d-----w c:\program files\NetBeans 6.5 RC1
2008-10-21 04:26 --------- d-----w c:\documents and settings\tasm\Application Data\MahJong Suite
2008-10-19 05:16 --------- d-----w c:\program files\WorshipLeaderAssistant.com Viewer
2008-10-19 05:13 96,864 ----a-w c:\windows\~GLC0000.TMP
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-09 19:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-09 19:25 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-16 04:16 23,113,606 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_09_15_20_24_49_full.dmp.zip
2008-09-16 04:16 23,056,260 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_09_15_20_50_38_full.dmp.zip
2008-09-16 04:15 20,784,029 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_09_15_20_23_42_full.dmp.zip
2008-09-16 01:50 4,268,032 ----a-w c:\windows\Internet Logs\xDB2D.tmp
2008-09-16 01:50 38,400 ----a-w c:\windows\Internet Logs\xDB2C.tmp
2008-09-16 01:24 4,267,008 ----a-w c:\windows\Internet Logs\xDB2B.tmp
2008-09-16 01:24 35,840 ----a-w c:\windows\Internet Logs\xDB2A.tmp
2008-09-15 21:04 669,184 ----a-w c:\windows\Internet Logs\xDB28.tmp
2008-09-15 21:04 4,264,960 ----a-w c:\windows\Internet Logs\xDB29.tmp
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-05-25 01:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052420080525\index.dat
.

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved COMBOFIX.TXT PART 2

Post by itsatrap on 8th December 2008, 3:17 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2006-11-14 121640]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2007-07-19 516848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

c:\documents and settings\tasm\Start Menu\Programs\Startup\
Folding@Home 5.03.lnk - c:\program files\Folding@Home\winFAH.exe [2008-04-08 323584]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-03-18 546816]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-16 24652]
S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\Drivers\CEUSBAUD.sys [2008-07-14 17920]
S3 MarkFun_NT;MarkFun_NT;\??\c:\program files\Gigabyte\ET5\markfun.w32 []
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSWAP.sys [2007-01-25 91496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9b4646-0c8b-11dc-b37c-806d6172696f}]
\Shell\AutoRun\command - E:\Run.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\User_Feed_Synchronization-{AEE2552E-3044-48F8-B6AA-80D91239C56C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Smax4 - c:\documents and settings\tasm\Application Data\Google\kjzna1562565.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe -
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FireFox -: Profile - c:\documents and settings\tasm\Application Data\Mozilla\Firefox\Profiles\wj59nmt0.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Virtual Earth 3D\npVE3D.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 20:32:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
.
Completion time: 2008-12-07 20:33:58
ComboFix-quarantined-files.txt 2008-12-08 02:32:41

Pre-Run: 4,719,771,648 bytes free
Post-Run: 6,157,705,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

267 --- E O F --- 2008-11-12 09:05:14

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Followup notes from the combofix.exe run.

Post by itsatrap on 8th December 2008, 3:24 am

Notes on the cleanup: When I put in my USB stick in my computer to copy combofix.exe to my computer, I guess my PC scanned all the drives...and Zone Alarm popped up and said it had found Trojan.Win32.Inject.lak (file: spcffwl.dll....I think was the name of it). I told it to delete, then it asked again, and said delete on reboot. So I rebooted. Then I ran the combofix.exe and as it ran, Zone Alarm popped up again and caught "EICAR_Test_Files" and quarantined it. I suppose that was a file combofix created to see if it was working correctly or something, then in the blue box which showed all the progress of combofix running said it had deleted something like Google/kjzna1562565.exe was deleted..all my running processes started crashing/closing/warning me there were problems (again, I am sure that was combofix going through everything). So when all was said and done, among other things, it deleted c:\a.bat, a setup.inf file somewhere and a few others. I hope everything looks clean. Let me know if there is more I need to do/other files (from combofix or otherwise) safe to delete. THANK YOU 100,000%!!! [Internet is back up and running so far. I guess I will go ahead and reboot....].

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Me too...Trojan.Zlob.G

Post by Belahzur on 8th December 2008, 1:32 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\users\Jeremy\AppData\Roaming\Google\windep.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9b4646-0c8b-11dc-b37c-806d6172696f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved combofix.txt part 1

Post by itsatrap on 8th December 2008, 2:16 pm

ComboFix 08-12-06.06 - tasm 2008-12-08 8:02:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1180 [GMT -6:00]
Running from: c:\documents and settings\tasm\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\tasm\Desktop\CFscript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\users\Jeremy\AppData\Roaming\Google\windep.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 21:53 . 2008-12-07 21:53 d-------- c:\program files\Common Files\Adobe AIR
2008-12-07 00:45 . 2008-12-07 00:50 d-------- C:\hijackthis
2008-12-03 22:25 . 2008-11-10 03:39 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-27 10:34 . 2008-11-27 10:34 d-------- c:\program files\iPod
2008-11-27 10:33 . 2008-11-27 10:34 d-------- c:\program files\iTunes
2008-11-27 10:33 . 2008-11-27 10:34 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-27 10:28 . 2008-11-27 10:29 d-------- c:\program files\QuickTime
2008-11-21 21:06 . 2008-11-21 21:08 d-------- c:\program files\NetBeans 6.5
2008-11-17 08:53 . 2008-11-17 08:53 d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-12 23:56 . 2008-11-12 23:56 d-------- c:\documents and settings\tasm\Application Data\Yahoo!
2008-11-11 19:27 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 19:26 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 14:08 178,072,864 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-08 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 06:15 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-08 06:15 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 04:31 --------- d-----w c:\program files\PokerStars.NET
2008-12-08 04:19 --------- d-----w c:\program files\Google
2008-12-08 04:11 --------- d-----w c:\program files\Audacity 1.3 Beta
2008-12-08 04:10 --------- d-----w c:\program files\Audacity
2008-12-08 04:08 --------- d-----w c:\program files\Full Tilt Poker
2008-12-08 03:33 --------- d-----w c:\documents and settings\tasm\Application Data\OpenOffice.org2
2008-12-08 03:28 70,676 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_12_07_20_30_12_small.dmp.zip
2008-12-08 03:28 61,620 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_12_07_20_30_05_small.dmp.zip
2008-12-08 03:27 2,266,448 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-08 01:59 --------- d-----w c:\documents and settings\tasm\Application Data\SwordSearcher 5
2008-12-07 07:08 --------- d-----w c:\program files\SwordSearcher 5
2008-12-07 03:46 --------- d-----w c:\documents and settings\tasm\Application Data\NewsBin
2008-12-07 03:45 --------- d-----w c:\program files\uTorrent
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\uTorrent
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\Apple Computer
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\Ahead
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\AdobeUM
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\ACD Systems
2008-12-07 03:44 --------- d-----w c:\documents and settings\tasm\Application Data\acccore
2008-12-07 03:43 --------- d-----w c:\documents and settings\tasm\Application Data\Ashampoo
2008-12-07 03:35 --------- d-----w c:\program files\Ashampoo
2008-12-07 02:04 --------- d-----w c:\documents and s ettings\tasm\Application Data\LimeWire
2008-12-07 01:44 --------- d-----w c:\program files\LimeWire
2008-12-04 04:25 --------- d-----w c:\program files\Java
2008-11-29 22:42 24,241,841 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-27 16:33 --------- d-----w c:\program files\Common Files\Apple
2008-11-27 16:15 --------- d-----w c:\program files\Safari
2008-11-21 13:17 --------- d-----w c:\program files\DivX
2008-11-18 01:49 --------- d-----w c:\program files\AIM6
2008-11-17 14:54 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-17 14:49 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-14 00:45 --------- d-----w c:\program files\Yahoo!
2008-11-13 12:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-13 12:17 --------- d-----w c:\program files\Folding@Home
2008-11-13 12:15 70,991 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_11_13_06_12_26_small.dmp.zip
2008-11-13 12:15 53,163 ----a-w c:\windows\Internet Logs\zlclient_2nd_2008_11_13_06_12_22_small.dmp.zip
2008-11-12 09:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-10 11:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-04 02:50 --------- d-----w c:\program files\TrackMania Nations ESWC
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-28 06:14 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-28 06:14 --------- d-----w c:\program files\AutoCAD 2009
2008-10-28 06:02 --------- d-----w c:\documents and settings\tasm\Application Data\Skype
2008-10-27 13:22 --------- d-----w c:\documents and settings\tasm\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-27 08:01 --------- d-----w c:\program files\Virtual Earth 3D
2008-10-27 05:45 --------- d-----w c:\program files\OpenOffice.org 2.4
2008-10-27 05:33 --------- d-----w c:\documents and settings\tasm\Application Data\Audacity
2008-10-27 05:17 --------- d-----w c:\program files\Common Files\Adobe
2008-10-27 05:01 --------- d-----w c:\documents and settings\tasm\Application Data\CoreFTP
2008-10-27 04:22 --------- d-----w c:\documents and settings\tasm\Application Data\MailFrontier
2008-10-25 05:15 --------- d-----w c:\program files\GPS Utility
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 07:39 --------- d-----w c:\program files\eclipse
2008-10-23 07:01 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-23 06:30 --------- d-----w c:\program files\NetBeans 6.5 RC1
2008-10-19 05:16 --------- d-----w c:\program files\WorshipLeaderAssistant.com Viewer
2008-10-19 05:13 96,864 ----a-w c:\windows\~GLC0000.TMP
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-09 19:25 73,104 ----a-w c:\windows\zllsputility.exe
2008-10-09 19:25 1,221,008 ----a-w c:\windows\system32\zpeng25.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-16 04:16 23,113,606 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_09_15_20_24_49_full.dmp.zip
2008-09-16 04:16 23,056,260 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_09_15_20_50_38_full.dmp.zip
2008-09-16 04:15 20,784,029 ----a-w c:\windows\Internet Logs\vsmon_on_demand_2008_09_15_20_23_42_full.dmp.zip
2008-09-16 01:50 4,268,032 ----a-w c:\windows\Internet Logs\xDB2D.tmp
2008-09-16 01:50 38,400 ----a-w c:\windows\Internet Logs\xDB2C.tmp
2008-09-16 01:24 4,267,008 ----a-w c:\windows\Internet Logs\xDB2B.tmp
2008-09-16 01:24 35,840 ----a-w c:\windows\Internet Logs\xDB2A.tmp
2008-09-15 21:04 669,184 ----a-w c:\windows\Internet Logs\xDB28.tmp
2008-05-25 01:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052420080525\index.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-08 04:20:24 26,694 ----a-r c:\windows\Installer\{14630FF9-172D-4F71-85D2-E565FF92B2A5}\ARPPRODUCTICON.exe
+ 2008-12-08 04:20:24 26,694 ----a-r c:\windows\Installer\{14630FF9-172D-4F71-85D2-E565FF92B2A5}\googleearth.exe_29622F4A245C41268764897E21E888D1.exe
+ 2008-12-08 04:20:24 26,694 ----a-r c:\windows\Installer\{14630FF9-172D-4F71-85D2-E565FF92B2A5}\googleearth.exe1_29622F4A245C41268764897E21E888D1.exe
+ 2008-12-08 04:20:24 26,694 ----a-r c:\windows\Installer\{14630FF9-172D-4F71-85D2-E565FF92B2A5}\ShortcutDX_76555E2354C947DF9E807AF43674D2F1.exe
+ 2008-12-08 04:20:24 26,694 ----a-r c:\windows\Installer\{14630FF9-172D-4F71-85D2-E565FF92B2A5}\ShortcutOGL_76555E2354C947DF9E807AF43674D2F1.exe
+ 2008-12-08 04:20:24 26,694 ----a-r c:\windows\Installer\{14630FF9-172D-4F71-85D2-E565FF92B2A5}\UNINST_Uninstall_G_29622F4A245C41268764897E21E888D1.exe
- 2008-12-08 02:30:22 699,368 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-12-08 13:00:18 705,024 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-12-08 02:29:53 36,902,400 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-12-08 14:02:07 36,902,400 ----a-w c:\windows\system32\ZoneLabs\zlqrtdb.dat
+ 2008-12-08 03:28:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1d8.dat
+ 2008-12-08 03:28:56 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_288.dat
+ 2008-12-08 03:55:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_710.dat
.

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved combofix.txt part 2

Post by itsatrap on 8th December 2008, 2:17 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2006-11-14 121640]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GBB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 356352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"BCWipeTM Startup"="c:\program files\Jetico\BCWipe\BCWipeTM.exe" [2007-07-19 516848]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

c:\documents and settings\tasm\Start Menu\Programs\Startup\
Folding@Home 5.03.lnk - c:\program files\Folding@Home\winFAH.exe [2008-04-08 323584]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-03-18 546816]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-10 124832]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-16 24652]
S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\Drivers\CEUSBAUD.sys [2008-07-14 17920]
S3 MarkFun_NT;MarkFun_NT;\??\c:\program files\Gigabyte\ET5\markfun.w32 []
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSWAP.sys [2007-01-25 91496]
.
Contents of the 'Scheduled Tasks' folder

2008-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-07 c:\windows\Tasks\User_Feed_Synchronization-{AEE2552E-3044-48F8-B6AA-80D91239C56C}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe -
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FireFox -: Profile - c:\documents and settings\tasm\Application Data\Mozilla\Firefox\Profiles\wj59nmt0.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\program files\Virtual Earth 3D\npVE3D.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-08 08:08:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MarkFun_NT]
"ImagePath"="\??\c:\program files\Gigabyte\ET5\markfun.w32"
.
Completion time: 2008-12-08 8:11:00
ComboFix-quarantined-files.txt 2008-12-08 14:09:41
ComboFix2.txt 2008-12-08 02:50:04

Pre-Run: 5,678,931,968 bytes free
Post-Run: 5,674,672,128 bytes free

263 --- E O F --- 2008-11-12 09:05:14

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Me too...Trojan.Zlob.G

Post by Belahzur on 8th December 2008, 2:33 pm

Looks good, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Me too...Trojan.Zlob.G

Post by itsatrap on 8th December 2008, 2:37 pm

Zone alarm, sometime last night detected a not-a-virus:..Win32..something in a restore entry. Zone alarm didn't know what to do with it, I just said ignore. I'll go home at lunch and try to get the exact thing it found. Thanks so much for your help. Also, after combofix was run, Spybot wanted me to OK several registry changes. I supposed that combofix had made them, so I allowed them, but I didn't write them down. Will try to get a log of them.

itsatrap
Novice
Novice

Posts Posts : 8
Joined Joined : 2008-12-07
OS OS : Windox XP SP3
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Me too...Trojan.Zlob.G

Post by Belahzur on 8th December 2008, 2:42 pm

Okay, do this to get rid of the system restore virus.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Me too...Trojan.Zlob.G

Post by Doctor Inferno on 3rd January 2009, 3:52 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum