Trojan.zlob.g Need help!

View previous topic View next topic Go down

Solved Trojan.zlob.g Need help!

Post by iloveyouguys on 7th December 2008, 10:26 pm

Hi. I got one of those nasty viruses. Won't let me navigate the web and I keep getting those messages to protect my computer. It sends me to an anti-virus website. I tried everything- norman, anitspyware, amalbyte, windows malicious removal tool, symantec, etc. I hope you guys can help.

Here is the HiJack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:18 PM, on 12/7/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\wuauclt.exe
I:\second set\HiJack(GP)This.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: ?????? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {057E566C-74EE-495E-81D9-7A17AA835070} (MMServer Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {22929C08-33EC-4272-970F-AF71584CADFD} (MStory Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5AD9C93B-7A86-4F8C-A6E6-0A2F8C12331B} (Wloader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {65DFFB8B-4E11-4A82-AEC3-BB15F62B0B45} - [You must be registered and logged in to see this link.]
O16 - DPF: {6F4863C1-482C-4744-8946-4AEA34DF1A16} (FreechalOn Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8BCAB742-72F8-4119-A4B4-8F639A6E27B3} (CNaverImageUploadCtl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {B005D02C-E461-4851-8A79-C7FDC8563C07} (BBNPort Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} (Daum ActiveX manager Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8412 bytes

iloveyouguys
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : windows xp professional service pack 1
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.g Need help!

Post by iloveyouguys on 7th December 2008, 10:26 pm

Here is the uninstall list:

EAy
Ad-Aware
Adobe Reader 8.1.2
Apple Software Update
Blast Thru
Bowling Mania Special Edition
Comcast High-Speed Internet Install Wizard
Demolition Derby & Figure 8
EA SPORTS online 2004
eGames GameButler
eGames Master's Edition 151
EPSON Printer Software
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Indeo?software
Intel(R) Graphics Media Accelerator Driver
iPod for Windows 2006-01-10
iTunes
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Marble Blaster
Microsoft AppLocale
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Application Compatibility Database
Mini Golf Master 2
MVP Baseball 2004
Nero 7 Essentials
neroxml
Outlook Express Q823353
QuickTime
RealArcade
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Solitaire Master 4
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Symantec AntiVirus
Symantec System Center
Symantec System Center
Tetris (remove only)
Windows Installer 3.0 (KB884016)
Windows Media Format Runtime

iloveyouguys
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : windows xp professional service pack 1
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.g Need help!

Post by Belahzur on 7th December 2008, 10:29 pm

Hello.
You are running SP1, which is old and out of date, that's probably why your infected.

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.zlob.g Need help!

Post by iloveyouguys on 7th December 2008, 10:44 pm

Thanks, Belahzur for your help.

Here is the log:

ComboFix 08-12-06.06 - jonathan 2008-12-07 17:38:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.949.82.1033.18.596 [GMT -5:00]
Running from: i:\second set\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 36 bytes in 1 streams.
ADS - explorer.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jonathan\Application Data\Google\kjzna1562565.exe
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max.cfg
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max0.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max1.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max2.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max3.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max4.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max5.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max6.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max7.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max8.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\P3Max9.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM.cfg
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM0.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM1.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM2.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM3.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM4.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM5.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM6.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM7.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM8.che
c:\documents and settings\jonathan\Local Settings\Temporary Internet Files\SKBGM9.che
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\wiaserviv.log
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 17:01 . 2008-12-07 17:17 d-------- c:\program files\Spybot - Search & Destroy
2008-12-07 17:01 . 2008-12-07 17:10 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-07 16:54 . 2008-12-07 16:54 d-------- c:\program files\Lavasoft
2008-12-07 16:54 . 2008-12-07 16:55 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-07 13:38 . 2008-12-07 13:38 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-12-07 13:07 . 2008-12-07 13:08 d-------- C:\59f73bdebf820d67da06
2008-12-07 13:03 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-12-07 13:03 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-12-07 13:03 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2008-12-07 13:03 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-07 11:24 . 2008-12-07 11:24 d-------- C:\VundoFix Backups
2008-12-06 21:45 . 2008-12-06 21:45 d-------- c:\program files\SUPERAntiSpyware
2008-12-06 21:45 . 2008-12-06 21:45 d-------- c:\documents and settings\jonathan\Application Data\SUPERAntiSpyware.com
2008-12-06 21:45 . 2008-12-06 21:45 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-06 21:43 . 2008-12-06 21:43 d-------- c:\documents and settings\jonathan\Application Data\Malwarebytes
2008-12-06 21:41 . 2008-12-07 16:54 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-06 19:33 . 2008-12-06 19:33 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-06 19:33 . 2008-12-06 19:33 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-06 19:33 . 2008-12-06 19:33 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-06 19:33 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-06 19:33 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-06 19:19 . 2008-12-06 19:19 d-------- c:\documents and settings\Administrator
2008-12-06 13:44 . 2008-12-06 13:46 d-------- c:\documents and settings\jonathan\Application Data\COMCASTTOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 22:37 --------- d-----w c:\program files\Symantec AntiVirus
2008-12-07 21:45 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2008-12-07 21:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-07 21:43 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-06 18:47 --------- d-----w c:\program files\Google
2008-12-06 18:44 --------- d-----w c:\program files\ComcastToolbar
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2003-09-30 13312]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-04-24 149040]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2003-09-30 208953]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2003-09-30 59392]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-09-30 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2003-09-30 455168]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2006-03-23 118784]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-14 19520]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-15 153136]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-05-04 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 c:\windows\alcwzrd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\CTFMON.EXE" [2003-09-30 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-06 99376]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 cdspacex;cdspacex;c:\windows\System32\DRIVERS\CDSPACEX.sys []
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-09-27 116464]
S3 TwoRabts;Two Rabbits Live Bus;c:\windows\System32\DRIVERS\TwoRabts.sys []

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-Smax4 - c:\documents and settings\jonathan\Application Data\Google\kjzna1562565.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
IE: Microsoft Excel?? ????????&X) - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -

O16 -: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\System32\mfc42.dll - c:\windows\System32\msvcrt.dll
c:\windows\System32\olepro32.dll
c:\windows\Downloaded Program Files\MMClient.ocx
c:\windows\Downloaded Program Files\MMServer.ocx
O16 -: {057E566C-74EE-495E-81D9-7A17AA835070}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\MaxMemo.INF

c:\windows\Downloaded Program Files\mStory.ocx - O16 -: {22929C08-33EC-4272-970F-AF71584CADFD}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\mStory.inf

c:\windows\System32\SimFileDL.exe - c:\windows\System32\SimFileControl.ocx
O16 -: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\SimFileControl.inf

c:\windows\nxpm.ocx - O16 -: {2931566C-B8A6-46C5-BF4D-E6AB9251E953}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\nxpm.inf

c:\windows\Downloaded Program Files\wloader.ocx - O16 -: {5AD9C93B-7A86-4F8C-A6E6-0A2F8C12331B}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\wloader.inf

c:\windows\System32\FcInstaller.dll - c:\windows\System32\FcOnCtl12.dll
O16 -: {6F4863C1-482C-4744-8946-4AEA34DF1A16}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\FcOnCtl.inf

c:\windows\Downloaded Program Files\NaverImageUpload.dll - O16 -: {8BCAB742-72F8-4119-A4B4-8F639A6E27B3}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\NIU.inf

c:\windows\System32\dmvm.dll - c:\windows\Downloaded Program Files\dmcc2.dll
O16 -: {938527D1-CDB7-4147-998A-B20FCA5CC976}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\dmcc2.inf

c:\windows\Downloaded Program Files\ALToolsDX.dll - O16 -: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\ALToolsDX.inf

c:\windows\System32\atl.dll - c:\windows\System32\skcbgmset.dll
O16 -: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\skcbgmset.inf

c:\windows\Downloaded Program Files\BBLauncher.dll - c:\windows\System32\BBLoader.exe
c:\windows\Downloaded Program Files\BBNPort.dll
O16 -: {B005D02C-E461-4851-8A79-C7FDC8563C07}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\BBNPort.inf

c:\windows\System32\xmaninf.exe - c:\windows\System32\extract.exe
c:\windows\System32\xman.dll
O16 -: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\xman.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-07 17:40:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\System32\ODBC32.dll
c:\windows\System32\msctfime.ime
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(680)
c:\windows\System32\dssenh.dll
.
Completion time: 2008-12-07 17:41:26
ComboFix-quarantined-files.txt 2008-12-07 22:41:24

Pre-Run: 105,818,427,392 bytes free
Post-Run: 106,144,714,752 bytes free

207

iloveyouguys
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : windows xp professional service pack 1
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.g Need help!

Post by Belahzur on 7th December 2008, 10:49 pm

Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.zlob.g Need help!

Post by iloveyouguys on 8th December 2008, 1:02 am

Holy cow. You are a god.

I spent countless hours trying to fix this. I tried all these antivirus programs (spybot, symantec, malabyte, etc). How come these programs didn't pick it up?

Do you guys want a donation? I'm totally willing to donate money for your help. This site is awesome.

iloveyouguys
Novice
Novice

Posts Posts : 7
Joined Joined : 2008-12-07
OS OS : windows xp professional service pack 1
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.g Need help!

Post by Belahzur on 8th December 2008, 1:38 am

Hello.
Sorry, no donations are accepted yet.
A simple thank you is enough. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.zlob.g Need help!

Post by Doctor Inferno on 31st December 2008, 7:26 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum