Please help with removal of Trojan.Zlob.G

View previous topic View next topic Go down

Please help with removal of Trojan.Zlob.G

Post by AnotherLexus on 8th December 2008, 12:59 am

...Well another victim of Trojan.Zlob.G
My PC has gotten infected with the virus...
Internet connections are avaliable, But when opening Mozilla Firefox / Internet explorer...It either closes automatically or it shows me this page saying "Insecure Internet Activity. Threat of virus attack"
Also, fake popups from the virus also appear randomly...Saying that its high risk and directing me to another web page...

At the moment i am using a laptop to hopefully find solutions in removing this.
Yes i do have a USB that i can use to help transfer any programs from my laptop to my PC.

Please help me remove the Trojan...
>_< Reply A.S.A.P if possible...
Many thanks...Big Grin

Also below my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:18 p.m., on 8/12/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\vVX3000.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\GridService\peer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Program Files\Acer Arcade Live\Acer TV Share\Kernel\DMSTV\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\FlashGet Network\Flashget\ComDlls\bhoCATCH.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PCM Media Sharing.lnk = C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载 - C:\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: &使用快车(FlashGet)下载全部链接 - C:\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: Acer TV Share Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer TV Share\Kernel\DMSTV\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 11935 bytes


Last edited by AnotherLexus on 8th December 2008, 1:05 am; edited 1 time in total (Reason for editing : Added hijackthis log)

AnotherLexus
Novice
Novice

Posts Posts : 27
Joined Joined : 2008-12-08
OS OS : Windows Vista Basic
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with removal of Trojan.Zlob.G

Post by Belahzur on 8th December 2008, 1:42 am

Hello.

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please help with removal of Trojan.Zlob.G

Post by AnotherLexus on 8th December 2008, 2:42 am

Also after i ran Combofix ...my whole desktop when blank...and you could only see my wallpaper...i waited 10minutes and nothing happened to i restarted the computer....once i restarted the computer
The trojan is still there will that same fake popup ...And still problems affecting with my internet

Will be posting my combofix log in a short while [5mins]


Last edited by AnotherLexus on 8th December 2008, 4:13 am; edited 1 time in total (Reason for editing : Typos)

AnotherLexus
Novice
Novice

Posts Posts : 27
Joined Joined : 2008-12-08
OS OS : Windows Vista Basic
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with removal of Trojan.Zlob.G

Post by AnotherLexus on 8th December 2008, 3:00 am

Here is the log for combofix.

ComboFix 08-12-06.06 - Jeremy 2008-12-08 15:18:04.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.1134 [GMT -8:00]
Running from: F:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Jeremy\AppData\Roaming\BITS
c:\users\Jeremy\AppData\Roaming\BITS\BITS.ini
c:\users\Jeremy\AppData\Roaming\BITS\DHTTable.dat
c:\users\Jeremy\AppData\Roaming\BITS\mushimu.exe
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080311172726.torrent
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080311172726.torrent.~tmp
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080311172726.torrent.bits
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080311172726.torrent.filelist
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080311172726.torrent.seeds
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164205.torrent
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164205.torrent.~tmp
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164205.torrent.bits
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164205.torrent.filelist
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164205.torrent.seeds
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164628.torrent
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164628.torrent.~tmp
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164628.torrent.bits
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164628.torrent.filelist
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080408164628.torrent.seeds
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080507220559.torrent
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080507220559.torrent.~tmp
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080507220559.torrent.bits
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080507220559.torrent.filelist
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080507220559.torrent.seeds
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080807185630.torrent
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080807185630.torrent.~tmp
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080807185630.torrent.bits
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080807185630.torrent.filelist
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080807185630.torrent.hybridlist
c:\users\Jeremy\AppData\Roaming\BITS\Torrent\20080807185630.torrent.seeds

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-08 13:37 . 2008-12-08 13:37 d-------- c:\program files\Trend Micro
2008-12-08 13:07 . 2008-12-08 13:07 d-------- c:\users\Jeremy\AppData\Roaming\Malwarebytes
2008-12-08 13:07 . 2008-12-08 13:07 d-------- c:\users\All Users\Malwarebytes
2008-12-08 13:07 . 2008-12-08 13:07 d-------- c:\programdata\Malwarebytes
2008-12-08 13:07 . 2008-12-08 13:07 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 13:07 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-08 13:07 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-08 13:00 . 2008-12-08 13:00 d-------- c:\users\Jeremy\AppData\Roaming\Download Manager
2008-12-08 13:00 . 2008-12-08 13:10 d-a------ c:\users\All Users\TEMP
2008-12-08 13:00 . 2008-12-08 13:10 d-a------ c:\programdata\TEMP
2008-11-19 08:31 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-19 08:31 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-19 08:31 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-19 08:31 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-19 08:31 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-19 08:31 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-19 08:31 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-19 08:30 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-19 08:30 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 19:26 --------- d-----w c:\program files\Conquer 2.0
2008-12-08 17:47 --------- d-----w c:\users\Jeremy\AppData\Roaming\Application Data
2008-12-08 17:47 --------- d-----w c:\users\Jeremy\AppData\Roaming\Apple Computer
2008-12-08 17:47 --------- d-----w c:\users\Jeremy\AppData\Roaming\AntiDote Corporation '07
2008-12-08 17:47 --------- d-----w c:\users\Jeremy\AppData\Roaming\AdobeUM
2008-11-03 06:49 --------- d-----w c:\users\Jeremy\AppData\Roaming\dvdcss
2008-10-30 23:34 --------- d-----w c:\program files\RaySource
2008-10-30 21:29 --------- d-----w c:\program files\GridService
2008-10-30 21:22 --------- d-----w c:\program files\Outspark
2008-10-28 05:10 --------- d-----w c:\program files\Warcraft III
2008-10-24 15:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-22 00:51 137,344 ----a-w c:\windows\system32\drivers\litsgt.sys
2008-10-22 00:51 12,032 ----a-w c:\windows\system32\drivers\tansgt.sys
2008-09-11 03:04 174 --sha-w c:\program files\desktop.ini
2007-12-16 23:45 0 ----a-w c:\users\Jeremy\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Smax4v"="c:\users\Jeremy\AppData\Roaming\Google\windep.exe" [2008-12-08 128000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-20 107112]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-11-20 22696]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-01-24 319488]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-06 464168]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Grid Service"="c:\program files\GridService\peer.exe" [2008-08-28 3362816]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 c:\windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
PCM Media Sharing.lnk - c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe [2007-04-16 200812]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= c:\progra~1\ACERAR~1\ACERVI~1\Kernel\Burner\MKDMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

AnotherLexus
Novice
Novice

Posts Posts : 27
Joined Joined : 2008-12-08
OS OS : Windows Vista Basic
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with removal of Trojan.Zlob.G

Post by AnotherLexus on 8th December 2008, 3:00 am

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{AB7BB333-BFAF-41AA-847B-77817177460D}c:\\program files\\windows live\\messenger\\msnmsgr.exe"= UDP:c:\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"UDP Query User{BAAD0F08-3732-4838-86BD-E666EEB91F5F}c:\\program files\\windows live\\messenger\\msnmsgr.exe"= TCP:c:\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"{8920D3EF-3863-401F-A32D-F192561F204A}"= UDP:c:\nexon\Audition\Patcher.exe:Patcher
"{E10154B7-E570-4B24-A781-A22D066109FB}"= TCP:c:\nexon\Audition\Patcher.exe:Patcher
"{6E6D0ED3-F45F-4ADE-8118-66FFC37130C2}"= UDP:c:\program files\uTorrent\uTorrent.exe:礣orrent
"{BFD17642-BBCB-4968-815E-54ECAB107D21}"= TCP:c:\program files\uTorrent\uTorrent.exe:礣orrent
"{28BBB0D9-D5F8-4916-BF77-6D7F53E70ACD}"= UDP:c:\users\Jeremy\Desktop\utorrent.exe:礣orrent
"{37B89938-2C8E-4AB2-9094-A979325416DD}"= TCP:c:\users\Jeremy\Desktop\utorrent.exe:礣orrent
"{67B348FC-6E9B-430A-9CD1-9127A5B8ACC5}"= UDP:c:\program files\e-Games\O2Jam\O2JamLauncher.exe:O2Jam
"{B967AC02-B0FB-4A26-A962-338A53935301}"= TCP:c:\program files\e-Games\O2Jam\O2JamLauncher.exe:O2Jam
"{7E426CD0-E864-4528-8E94-7B081DFF2C58}"= UDP:c:\program files\Outspark\Launcher\outspark.exe:outspark
"{35EED20E-C4CA-4B8D-BF2D-C47E7B78AC3E}"= TCP:c:\program files\Outspark\Launcher\outspark.exe:outspark
"{55A1B533-0A4D-43A9-B487-0933D307F794}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{53F9AE5F-E001-4EC2-B0F9-42ECE1A3B0EB}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{93409417-82CD-4395-903F-5D6227D0D9D4}"= UDP:c:\program files\Gpotato\Flyff\Flyff.exe:Flyff
"{454FF50B-8A06-413C-B94A-F9F3765682EB}"= TCP:c:\program files\Gpotato\Flyff\Flyff.exe:Flyff
"TCP Query User{FB5C23CB-E57C-4261-AC13-3B54288B81B5}c:\\program files\\windows live\\messenger\\msnmsgr.exe"= UDP:c:\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"UDP Query User{52FBF30C-4D2C-448B-8D4A-A3135ED42B83}c:\\program files\\windows live\\messenger\\msnmsgr.exe"= TCP:c:\program files\windows live\messenger\msnmsgr.exe:Windows Live Messenger
"{C7158EE2-B7CD-4A0B-AE10-4BFFCDC89C79}"= UDP:c:\program files\GridService\peer.exe:muse peer
"{75B6DDB4-2C0F-4607-A433-4ED205D9A999}"= TCP:c:\program files\GridService\peer.exe:muse peer
"TCP Query User{17906F8E-B736-46B1-A0D7-A99FDE897577}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{DB629FCC-BDAA-4C1F-9BE6-AD57EE3DDAED}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{7EDE57E5-76BA-4352-9E99-1F66D5F68994}c:\\flashget network\\flashget\\flashget.exe"= UDP:c:\flashget network\flashget\flashget.exe:flashget
"UDP Query User{A80424EF-7CED-480B-AA7F-0CE090B2E302}c:\\flashget network\\flashget\\flashget.exe"= TCP:c:\flashget network\flashget\flashget.exe:flashget

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
"c:\\FlashGet Network\\Flashget\\FlashGet.exe"= c:\flashget network\Flashget\FlashGet.exe:*:Enabled:Flashget2
"c:\\FlashGet Network\\Flashget\\LiveUpdate.exe"= c:\flashget network\Flashget\LiveUpdate.exe:*:Enabled:FGLiveUpdate
"c:\\FlashGet Network\\Flashget\\LiveUpdateEx.exe"= c:\flashget network\Flashget\LiveUpdateEx.exe:*:Enabled:FGLiveUpdateEx
"c:\\Program Files\\PPStream\\PPStream.exe"= c:\program files\PPStream\PPStream.exe:*:Enabled:PPS网络电视
"c:\\Program Files\\PPStream\\PPSAP.exe"= c:\program files\PPStream\PPSAP.exe:*:Enabled:PPS 网络加速器

R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080305.002\IDSvix86.sys [2008-03-06 261680]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;"c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe" [2007-04-16 266343]
R2 Acer TV Share Service;Acer TV Share Service;"c:\program files\Acer Arcade Live\Acer TV Share\Kernel\DMSTV\CLMSServer.exe" [2007-08-14 269424]
R2 litsgt;litsgt;c:\windows\system32\DRIVERS\litsgt.sys [2008-10-21 137344]
R2 tansgt;tansgt;c:\windows\system32\DRIVERS\tansgt.sys [2008-10-21 12032]
R3 Ph3xIB32;Philips 713x VU PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 37936]
S3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\DRIVERS\s115bus.sys [2008-02-08 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2008-02-08 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2008-02-08 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s115mgmt.sys [2008-02-08 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s115obex.sys [2008-02-08 98568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84e90d05-cd53-11dc-bc79-806e6f6e6963}]
\shell\AutoRun\command - L:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdd56e32-2519-11dd-a3a8-0060641bd6d4}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-12-06 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Jeremy.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-11-20 20:41]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-Apanel - c:\acersw\config\NewSetApanel.cmd
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &使用快车(FlashGet)下载 - c:\flashget network\Flashget\ComDlls\Bholink.htm
IE: &使用快车(FlashGet)下载全部链接 - c:\flashget network\Flashget\ComDlls\Bhoall.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FireFox -: Profile - c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\rd33xuc1.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-08 15:21:58
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-08 15:23:58
ComboFix-quarantined-files.txt 2008-12-08 23:23:54

Pre-Run: 85,779,705,856 bytes free
Post-Run: 87,861,080,064 bytes free

223

AnotherLexus
Novice
Novice

Posts Posts : 27
Joined Joined : 2008-12-08
OS OS : Windows Vista Basic
Points Points : 29230
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please help with removal of Trojan.Zlob.G

Post by Belahzur on 8th December 2008, 1:30 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\users\Jeremy\AppData\Roaming\Google\windep.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smax4v"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84e90d05-cd53-11dc-bc79-806e6f6e6963}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdd56e32-2519-11dd-a3a8-0060641bd6d4}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please help with removal of Trojan.Zlob.G

Post by Doctor Inferno on 3rd January 2009, 3:42 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum