Trojan.zlob.G

View previous topic View next topic Go down

Solved Trojan.zlob.G

Post by malevolence on 8th December 2008, 12:36 am

Hi wondering if you could help me getting rid of this virus its really annoying

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:58 AM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\WINDOWS\vVX1000.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Minimizor\Minimizor.exe
C:\Program Files\Razer Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe
C:\Program Files\Qlock\qlock.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ev!L\downloads\Hijack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Minimizor] C:\Program Files\Minimizor\Minimizor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe (User 'Default user')
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C6EEE7E-B690-4C70-B3DB-FF1E90AF65CF}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D82844C-E3D0-4C0F-80C5-78AB3ABD1473}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{A092359B-BAE9-4549-8D32-1544FA907C38}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C6EEE7E-B690-4C70-B3DB-FF1E90AF65CF}: Domain = nsw.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C6EEE7E-B690-4C70-B3DB-FF1E90AF65CF}: Domain = nsw.bigpond.net.au
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11071 bytes

malevolence
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-08
OS OS : windows xp
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by Belahzur on 8th December 2008, 12:41 am

Hello.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by malevolence on 8th December 2008, 12:55 am

ComboFix 08-12-06.06 - Ev!L 2008-12-08 11:47:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1334 [GMT 11:00]
Running from: c:\documents and settings\Ev!L\downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ev!L\Application Data\Google\kjzna1562565.exe
c:\documents and settings\Ev!L\Application Data\inst.exe
c:\windows\install.exe
c:\windows\system32\install.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 17:28 . 2008-12-07 17:28 d-------- c:\program files\NoVirusThanks.org
2008-12-07 17:17 . 2008-12-07 17:29 d-------- c:\program files\Perfect Defender 2009
2008-12-07 15:58 . 2008-12-07 16:58 d-------- c:\windows\system32\CatRoot_bak
2008-12-07 13:03 . 2008-12-07 13:02 410,976 --a------ c:\windows\system32\deploytk.dll
2008-12-04 13:57 . 2008-12-04 13:57 d-------- c:\program files\Common Files\InterVideo
2008-12-04 13:57 . 2008-12-04 13:57 d-------- c:\documents and settings\All Users\Application Data\InterVideo
2008-12-04 13:57 . 2007-03-06 11:58 210,456 --a------ c:\windows\system32\IVIresizeW7.dll
2008-12-04 13:57 . 2007-03-06 11:58 206,360 --a------ c:\windows\system32\IVIresizeA6.dll
2008-12-04 13:57 . 2007-03-06 11:58 198,168 --a------ c:\windows\system32\IVIresizeP6.dll
2008-12-04 13:57 . 2007-03-06 11:58 198,168 --a------ c:\windows\system32\IVIresizeM6.dll
2008-12-04 13:57 . 2007-03-06 11:58 194,072 --a------ c:\windows\system32\IVIresizePX.dll
2008-12-04 13:57 . 2007-03-06 11:58 26,136 --a------ c:\windows\system32\IVIresize.dll
2008-11-26 23:54 . 2008-11-27 00:14 d-------- c:\documents and settings\Ev!L\Application Data\Dr. DivX 2.0 OSS
2008-11-26 23:40 . 2008-11-27 00:12 d-------- c:\documents and settings\Ev!L\Application Data\DivX
2008-11-26 23:34 . 2008-11-26 23:34 d-------- c:\documents and settings\Ev!L\.drdivx2
2008-11-14 19:36 . 2008-11-14 21:46 d-------- C:\TINKER_BELL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 13:56 138,784 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-07 13:56 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-07 04:20 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-07 02:02 --------- d-----w c:\program files\Java
2008-12-04 08:21 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-04 03:08 --------- d-----w c:\documents and settings\Ev!L\Application Data\Ulead Systems
2008-12-04 02:58 --------- d-----w c:\documents and settings\Ev!L\Application Data\uTorrent
2008-12-04 02:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 02:57 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-12-04 02:56 --------- d-----w c:\program files\Ulead Systems
2008-12-04 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-29 07:07 --------- d-----w c:\program files\Steam
2008-11-29 00:48 --------- d-----w c:\program files\Common Files\Adobe
2008-11-29 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2008-11-27 15:39 --------- d-----w c:\documents and settings\Ev!L\Application Data\RipIt4Me
2008-11-26 12:38 --------- d-----w c:\program files\DivX
2008-11-25 15:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 23:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-06 23:02 --------- d-----w c:\program files\AGEIA Technologies
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 15:14 --------- d-----w c:\documents and settings\Ev!L\Application Data\LimeWire
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 11:48 --------- d-----w c:\documents and settings\All Users\Application Data\BlazeVideo
2008-10-19 00:41 --------- d-----w c:\program files\BlazeVideo
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-01 23:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-08-11 05:37 25,208 ----a-w c:\documents and settings\Ev!L\Application Data\GDIPFONTCACHEV1.DAT
2008-06-21 14:15 47,360 ----a-w c:\documents and settings\Ev!L\Application Data\pcouffin.sys
2008-05-15 16:17 22,328 ----a-w c:\documents and settings\Ev!L\Application Data\PnkBstrK.sys
2008-02-13 01:50 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-03-21 10:19 643,072 ----a-w c:\program files\RipIt4Me.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

malevolence
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-08
OS OS : windows xp
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by malevolence on 8th December 2008, 12:56 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 1372160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808]
"BlazeServoTool"="c:\program files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe" [2007-02-10 270336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"EPSON Stylus Photo RX510"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" [2003-09-12 99840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"VX1000"="c:\windows\vVX1000.exe" [2006-12-06 707360]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2007-09-12 172032]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2007-09-24 57344]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"Minimizor"="c:\program files\Minimizor\Minimizor.exe" [2007-12-31 546304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Ev!L\Start Menu\Programs\Startup\
qlock.lnk - c:\program files\Qlock\qlock.exe [2008-03-08 4141056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-02-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS WiFi-AP Solo.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ASUS WiFi-AP Solo.lnk
backup=c:\windows\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power DVD Player]
--a------ 2007-09-06 18:28 391168 c:\program files\Power DVD Player\PowerDVDPlayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-12 17:46 1410296 c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\half-life\\hl.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\Drivers\BtHidBus.sys [2008-01-21 21512]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-24 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-24 231704]
R3 Alpham1;Ideazon Fang USB Human Interface Device;c:\windows\system32\DRIVERS\Alpham1.sys [2007-07-23 42624]
R3 Alpham2;Ideazon Fang MM USB Human Interface Device;c:\windows\system32\DRIVERS\Alpham2.sys [2007-03-20 18432]
R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-06-05 1423360]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-05-02 12032]
S3 Alpham;Ideazon Fang Composite Keyboard Driver;c:\windows\system32\DRIVERS\Alpham.sys [2005-12-04 34944]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-01-21 26248]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-02-09 176128]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;\??\F:\NTGLM7X.sys []
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys [2008-02-09 13532]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e569d89-d746-11dc-bb08-806d6172696f}]
\Shell\AutoRun\command - f:\.\Bin\Assetup.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-Smax4 - c:\documents and settings\Ev!L\Application Data\Google\kjzna1562565.exe
HKLM-Run-Cmaudio8788 - cmicnfgp.cpl
MSConfigStartUp-Yodm3D - c:\documents and settings\Ev!L\downloads\Yodm3D\Yodm3D\Yodm3D.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Ev!L\Application Data\Mozilla\Firefox\Profiles\1a9r3il9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-08 11:48:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\nvappfilter.dll
.
Completion time: 2008-12-08 11:48:55
ComboFix-quarantined-files.txt 2008-12-08 00:48:41

Pre-Run: 40,516,268,032 bytes free
Post-Run: 40,942,809,088 bytes free

252 --- E O F --- 2008-12-07 06:10:50

malevolence
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-08
OS OS : windows xp
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by Belahzur on 8th December 2008, 1:36 am

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\program files\NoVirusThanks.org
c:\program files\Perfect Defender 2009

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e569d89-d746-11dc-bb08-806d6172696f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by malevolence on 8th December 2008, 1:50 am

ComboFix 08-12-06.06 - Ev!L 2008-12-08 12:47:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1326 [GMT 11:00]
Running from: c:\documents and settings\Ev!L\downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Ev!L\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\NoVirusThanks.org
c:\program files\NoVirusThanks.org\NVT Rogue Software Remover\Checksum.txt
c:\program files\NoVirusThanks.org\NVT Rogue Software Remover\License.txt
c:\program files\NoVirusThanks.org\NVT Rogue Software Remover\NVT Rogue Software Remover.exe
c:\program files\NoVirusThanks.org\NVT Rogue Software Remover\ReadMe.txt
c:\program files\NoVirusThanks.org\NVT Rogue Software Remover\unins000.dat
c:\program files\NoVirusThanks.org\NVT Rogue Software Remover\unins000.exe
c:\program files\NoVirusThanks.org\NVT Rogue Software Remover\Version.ini
c:\program files\Perfect Defender 2009
c:\program files\Perfect Defender 2009\pd.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-07 15:58 . 2008-12-07 16:58 d-------- c:\windows\system32\CatRoot_bak
2008-12-07 13:03 . 2008-12-07 13:02 410,976 --a------ c:\windows\system32\deploytk.dll
2008-12-04 13:57 . 2008-12-04 13:57 d-------- c:\program files\Common Files\InterVideo
2008-12-04 13:57 . 2008-12-04 13:57 d-------- c:\documents and settings\All Users\Application Data\InterVideo
2008-12-04 13:57 . 2007-03-06 11:58 210,456 --a------ c:\windows\system32\IVIresizeW7.dll
2008-12-04 13:57 . 2007-03-06 11:58 206,360 --a------ c:\windows\system32\IVIresizeA6.dll
2008-12-04 13:57 . 2007-03-06 11:58 198,168 --a------ c:\windows\system32\IVIresizeP6.dll
2008-12-04 13:57 . 2007-03-06 11:58 198,168 --a------ c:\windows\system32\IVIresizeM6.dll
2008-12-04 13:57 . 2007-03-06 11:58 194,072 --a------ c:\windows\system32\IVIresizePX.dll
2008-12-04 13:57 . 2007-03-06 11:58 26,136 --a------ c:\windows\system32\IVIresize.dll
2008-11-26 23:54 . 2008-11-27 00:14 d-------- c:\documents and settings\Ev!L\Application Data\Dr. DivX 2.0 OSS
2008-11-26 23:40 . 2008-11-27 00:12 d-------- c:\documents and settings\Ev!L\Application Data\DivX
2008-11-26 23:34 . 2008-11-26 23:34 d-------- c:\documents and settings\Ev!L\.drdivx2
2008-11-14 19:36 . 2008-11-14 21:46 d-------- C:\TINKER_BELL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 01:36 --------- d-----w c:\program files\Java
2008-12-07 13:56 138,784 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-07 13:56 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-07 04:20 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-04 08:21 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-04 03:08 --------- d-----w c:\documents and settings\Ev!L\Application Data\Ulead Systems
2008-12-04 02:58 --------- d-----w c:\documents and settings\Ev!L\Application Data\uTorrent
2008-12-04 02:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 02:57 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-12-04 02:56 --------- d-----w c:\program files\Ulead Systems
2008-12-04 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-29 07:07 --------- d-----w c:\program files\Steam
2008-11-29 00:48 --------- d-----w c:\program files\Common Files\Adobe
2008-11-29 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania
2008-11-27 15:39 --------- d-----w c:\documents and settings\Ev!L\Application Data\RipIt4Me
2008-11-26 12:38 --------- d-----w c:\program files\DivX
2008-11-25 15:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-06 23:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-06 23:02 --------- d-----w c:\program files\AGEIA Technologies
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll
2008-10-24 15:14 --------- d-----w c:\documents and settings\Ev!L\Application Data\LimeWire
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 11:48 --------- d-----w c:\documents and settings\All Users\Application Data\BlazeVideo
2008-10-19 00:41 --------- d-----w c:\program files\BlazeVideo
2008-10-16 03:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 03:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 03:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 03:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 03:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 03:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 03:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 03:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-01 23:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 05:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 08:03 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\system32\pxafs.dll
2008-09-19 21:57 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-09-19 21:57 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-09-19 21:55 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-08-11 05:37 25,208 ----a-w c:\documents and settings\Ev!L\Application Data\GDIPFONTCACHEV1.DAT
2008-06-21 14:15 47,360 ----a-w c:\documents and settings\Ev!L\Application Data\pcouffin.sys
2008-05-15 16:17 22,328 ----a-w c:\documents and settings\Ev!L\Application Data\PnkBstrK.sys
2008-02-13 01:50 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-03-21 10:19 643,072 ----a-w c:\program files\RipIt4Me.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 1372160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808]
"BlazeServoTool"="c:\program files\BlazeVideo\BlazeDVD 5 Professional\MediaDetector.exe" [2007-02-10 270336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-19 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-07 136600]
"EPSON Stylus Photo RX510"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" [2003-09-12 99840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"VX1000"="c:\windows\vVX1000.exe" [2006-12-06 707360]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 275800]
"Lachesis"="c:\program files\Razer\Lachesis\razerhid.exe" [2007-09-12 172032]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2007-09-24 57344]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"Minimizor"="c:\program files\Minimizor\Minimizor.exe" [2007-12-31 546304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

malevolence
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-08
OS OS : windows xp
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by malevolence on 8th December 2008, 1:50 am

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Ev!L\Start Menu\Programs\Startup\
qlock.lnk - c:\program files\Qlock\qlock.exe [2008-03-08 4141056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-02-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ASUS WiFi-AP Solo.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ASUS WiFi-AP Solo.lnk
backup=c:\windows\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power DVD Player]
--a------ 2007-09-06 18:28 391168 c:\program files\Power DVD Player\PowerDVDPlayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-01 17:22 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-12 17:46 1410296 c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=
"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=
"c:\\Program Files\\Return to Castle Wolfenstein\\WolfMP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\TmNationsForever\\TmForever.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\NAMCO BANDAI Games\\Warhammer Mark of Chaos\\Warhammer.exe"=
"c:\\Program Files\\CyberLink\\PowerDirector\\PDR.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\malevolence69\\half-life\\hl.exe"=

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\Drivers\BtHidBus.sys [2008-01-21 21512]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-24 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-24 231704]
R3 Alpham1;Ideazon Fang USB Human Interface Device;c:\windows\system32\DRIVERS\Alpham1.sys [2007-07-23 42624]
R3 Alpham2;Ideazon Fang MM USB Human Interface Device;c:\windows\system32\DRIVERS\Alpham2.sys [2007-03-20 18432]
R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-06-05 1423360]
R3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [2008-05-02 12032]
S3 Alpham;Ideazon Fang Composite Keyboard Driver;c:\windows\system32\DRIVERS\Alpham.sys [2005-12-04 34944]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\Drivers\IvtBtBus.sys [2008-01-21 26248]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2008-02-09 176128]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;\??\F:\NTGLM7X.sys []
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys [2008-02-09 13532]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Ev!L\Application Data\Mozilla\Firefox\Profiles\1a9r3il9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-08 12:47:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\nvappfilter.dll
.
Completion time: 2008-12-08 12:48:37
ComboFix-quarantined-files.txt 2008-12-08 01:48:23
ComboFix2.txt 2008-12-08 00:48:56

Pre-Run: 41,135,226,880 bytes free
Post-Run: 41,116,418,048 bytes free

253 --- E O F --- 2008-12-07 06:10:50

malevolence
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-08
OS OS : windows xp
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by Belahzur on 8th December 2008, 1:23 pm

Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by malevolence on 8th December 2008, 1:39 pm

[You must be registered and logged in to see this link.] wrote:Looks good now, what problems remain?


No more problems as yet! Thanks heaps for taking the time out to help muchly apprieciated!! I saw on 1 of your other posts to go to
[You must be registered and logged in to see this link.]

I did that and pretty much downloaded everything it told me about!!

He he thanks again

malevolence
Novice
Novice

Posts Posts : 6
Joined Joined : 2008-12-08
OS OS : windows xp
Points Points : 29220
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.zlob.G

Post by Doctor Inferno on 3rd January 2009, 3:43 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum