trojan.zlob.g - eric

View previous topic View next topic Go down

Solved trojan.zlob.g - eric

Post by ericshin on 8th December 2008, 11:00 am

Hey
My problem is that every now and then this windows firewall warning pops up sayig that they are blocking this trojan.zlob.g thing. Then when i go to use fire fox it a message saying that it is dangerous to use the internet because of this trojan thing and it lets me either choose to continue unprotected or i can download or buy this antivirus or computer-fixing-thing. Anyway, What worries me is that the first time this windows firewall trojan.zlob.g popped up my whole computer restarted and i'm worried the next time this happens, i won't be able to turn pn my computer again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:55 p.m., on 8/12/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\System32\devldr32.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKLM"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5208 bytes

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved uninstall list

Post by ericshin on 8th December 2008, 11:10 am

Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Age of Empires III
Age of Empires III - The Asian Dynasties
Athlon 64 Processor Driver
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESCX3900 User's Guide
GOM Player
Guitar Pro 5.0
HijackThis 2.0.2
Malwarebytes' Anti-Malware
Microsoft Halo
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.4)
MSN Messenger 5.0
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
PIF DESIGNER
Power Tab Editor 1.7
RealPlayer
Realtek AC'97 Audio
Winamp
Winamp Remote
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinRAR archiver

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 8th December 2008, 2:00 pm

I'm not going to even attempt cleaning anything yet, you are running XP WITHOUT any service pack. You'll be instantly infected without one.
Please download and install SP1a from here:
[You must be registered and logged in to see this link.]

Once that is done, then I will help.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 8th December 2008, 10:51 pm

ok thanks for the tip i'm so relieved that you answered this thread.

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 8th December 2008, 11:03 pm

Once you have installed SP1a, please post a new Hijack This.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved New log

Post by ericshin on 8th December 2008, 11:10 pm

Hey Belahzur,
When i installed the sp1 how come i have to activate it again? Is there a way not to activate it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:58 p.m., on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\devldr32.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKLM"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5213 bytes

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 8th December 2008, 11:11 pm

Ignore the activate warning, because we'll be doing more upgrading soon.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e peek1.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    type peek1.txt >> look.txt
    del peek1.txt
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Post the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved look bat file

Post by ericshin on 8th December 2008, 11:13 pm

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Orb"="\"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe\" /background"
"Smax4"="\"C:\\Documents and Settings\\Andrew\\Application Data\\Google\\kjzna1562565.exe\""

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 8th December 2008, 11:17 pm

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\Documents and Settings\Andrew\Application Data\Google\kjzna1562565.exe

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smax4"=-

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post a new Hijack This log + OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved OTmoveit log

Post by ericshin on 8th December 2008, 11:28 pm

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Documents and Settings\Andrew\Application Data\Google\kjzna1562565.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Smax4 deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_LFAhBVD7fCh66hNOTq2K scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12092008_122330

Files moved on Reboot...
File C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_LFAhBVD7fCh66hNOTq2K not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl moved successfully.

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved new hijack this log

Post by ericshin on 8th December 2008, 11:29 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:43 p.m., on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\notepad.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKLM"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5146 bytes

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 8th December 2008, 11:32 pm

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 8th December 2008, 11:34 pm

do i save it to desktop?

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 8th December 2008, 11:38 pm

only a blue screen pops up

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 8th December 2008, 11:40 pm

Yeah, that's combofix.
Allow it to load and let it run.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved combofix log

Post by ericshin on 8th December 2008, 11:45 pm

ComboFix 08-12-07.04 - Andrew 2008-12-09 12:42:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.711 [GMT 13:00]
Running from: d:\documents and settings\Andrew\My Documents\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrew\Application Data\Google\spcffwl.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-09 12:24 . 2008-12-09 12:24 d---s---- c:\windows\system32\Microsoft
2008-12-09 12:23 . 2008-12-09 12:23 d-------- C:\_OTMoveIt
2008-12-09 12:01 . 2002-08-29 02:20 115,200 --a------ c:\windows\system32\dpcdll.dll
2008-12-09 11:58 . 2002-08-29 03:39 1,998,848 --a------ c:\windows\system32\wmploc.dll
2008-12-09 11:57 . 2002-06-14 18:46 19,274 --a------ c:\windows\001225_.tmp
2008-12-08 22:27 . 2008-12-08 22:27 d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-08 22:27 . 2008-12-08 22:27 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 22:27 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 22:27 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 22:26 . 2008-12-08 22:26 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-08 19:22 . 2008-12-08 19:22 12 --a------ c:\windows\system32\pgvmc.dat
2008-12-08 19:22 . 2008-12-08 19:22 0 --a------ c:\windows\system32\sfgvmc.dat
2008-12-08 13:11 . 2008-12-08 13:11 d-------- c:\documents and settings\Andrew\Application Data\AdobeUM
2008-12-08 13:03 . 2008-12-08 13:04 d-------- c:\documents and settings\All Users\Application Data\UDL
2008-12-08 12:59 . 2008-12-08 13:03 d-------- c:\program files\epson
2008-12-08 12:59 . 2005-02-25 00:00 46,080 --a------ c:\windows\system32\escimgd.dll
2008-12-08 12:59 . 2005-02-25 00:00 29,696 --a------ c:\windows\system32\escwiad.dll
2008-12-08 12:59 . 2005-02-25 00:00 22,016 --a------ c:\windows\system32\esccmd.dll
2008-12-08 12:59 . 2008-12-08 12:59 25 --a------ c:\windows\CDE CX3900EC.ini
2008-12-07 23:54 . 2008-12-07 23:55 d-------- c:\documents and settings\Andrew\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 23:02 90,240 ----a-w c:\windows\system32\drivers\sptd9053.sys
2008-12-08 00:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 00:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-07 12:00 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-07 11:34 --------- d-----w c:\program files\microsoft frontpage
2008-12-07 10:55 --------- d-----w c:\program files\Winamp Remote
2008-12-07 10:55 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-07 10:51 60,416 ----a-w c:\windows\ALCFDRTM.EXE
2008-12-07 10:48 --------- d-----w c:\program files\MSN Messenger
2008-12-07 10:48 --------- d-----w c:\documents and settings\All Users\Application Data\MSN Messenger 5.0.0544
2008-12-07 09:56 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-12-07 09:56 --------- d-----w c:\program files\Common Files\xing shared
2008-12-07 09:56 --------- d-----w c:\program files\Common Files\Real
2008-12-07 08:32 --------- d-----w c:\program files\MSXML 4.0
2008-12-07 07:42 --------- d-----w c:\program files\Realtek Sound Manager
2008-12-07 07:42 --------- d-----w c:\program files\AvRack
2008-12-07 07:14 223,128 ----a-w c:\windows\system32\drivers\dtscsi.sys
2008-12-07 06:07 --------- d-----w c:\program files\Common Files\Adobe
2008-12-07 03:31 664,064 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-07 02:45 --------- d-----w c:\documents and settings\Andrew\Application Data\fretsonfire
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2003-02-20 2185800]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2002-08-28 208953]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-11-04 7307264]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-11-04 86016]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
"nTrayFw"="d:\progra~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe" [2005-04-29 266240]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-07 185872]
"nwiz"="nwiz.exe" [2005-11-04 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.divxa32"= msaud32_divx.acm


*Newly Created Service* - BITS
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\
FF -: plugin - d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - d:\program files\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - d:\program files\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - d:\program files\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-09 12:42:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\System32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\nvappfilter.dll
c:\windows\System32\dssenh.dll
.
Completion time: 2008-12-09 12:43:37
ComboFix-quarantined-files.txt 2008-12-08 23:43:12

Pre-Run: 5,291,040,768 bytes free
Post-Run: 5,282,275,328 bytes free

123

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 8th December 2008, 11:51 pm

Okay, looks good.
What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 8th December 2008, 11:58 pm

A trillion thanks!!

The major one for me would be the activation thing


Last edited by ericshin on 9th December 2008, 12:26 am; edited 1 time in total

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 9th December 2008, 12:00 am

Oh yeah i forgot to ask. Should I delte all those things you told me to download or should i keep them i a folder because that combo fix thing sounds quite dodgy for a person like me as i might click into it.

And also just as i thought i can't activate my windows because it just tells me that i've overused my product key so could you tell me how to get around this?

Thanks again Belahzur


Last edited by ericshin on 9th December 2008, 12:22 am; edited 1 time in total (Reason for editing : left somethig out)

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 9th December 2008, 12:46 am

Hello.
Please download XP SP3 from here:
[You must be registered and logged in to see this link.]

And install it, then we'll work on the activation.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 9th December 2008, 5:53 am

hey Belahzur,

I downloaded and installed windows xp sp3 but now this "svchost - Microsoft Windows Operating system" gets detected by my nvidia firewall and it says its high risk. Then it gives me the options allow or deny. What should i do? And after that, all thats left is the activation thing.

Thanks - Eric

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 9th December 2008, 12:33 pm

Hello.
Please allow it to. It's svchost accessing the internet to get the updates for sp3.

Once SP3 is installed, we'll kill the activation warnings.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 10th December 2008, 12:23 am

ok thanks alot for this i just allowed svchost to access internet

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 10th December 2008, 4:28 am

does that mean i should turn on automaic updates?

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 10th December 2008, 2:26 pm

Is SP3 installed now?

If yes, please post a new Hijack This log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved High Jack this log

Post by ericshin on 10th December 2008, 9:00 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:43 a.m., on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5312 bytes

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 10th December 2008, 9:08 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\WINDOWS\System32\wgalogon.exe
    C:\WINDOWS\System32\wgalogon.dll

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved moveit log

Post by ericshin on 10th December 2008, 9:22 pm

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\WINDOWS\System32\wgalogon.exe not found.
File/Folder C:\WINDOWS\System32\wgalogon.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_IK3qFX0q0Acz0a9j5T2v scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_101749

Files moved on Reboot...
File C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_IK3qFX0q0Acz0a9j5T2v not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl moved successfully.

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 10th December 2008, 9:27 pm

Okay, the wga files aren't present on this machines.
You may just have to ignore the activation warnings.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 10th December 2008, 9:29 pm

so you mean the activation warnings are fake and i don't actually have to activate my windows?

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 10th December 2008, 9:36 pm

Well no.
The alerts are real, it just means you won't be able to use the following:

Windows Media Player 11 and above
MSN Messenger 9 and above
Internet Explorer 7 and above

But there is alternatives to that.

Winamp or VLC Media Player
Trillian Messenger
Firefox Or Google Chrome


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 10th December 2008, 9:46 pm

Ok that's cool because i don't use those first three things anyway. But i alwaysthought that if i don't activate my windows it means i can't use my computer?

Anyway thanks for all this Belahzur.

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 10th December 2008, 9:48 pm

No.
My machine isn't activated, I can still use mine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 10th December 2008, 9:48 pm

Ok Thanks alot. Is there anything i can do for you in return?

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on 10th December 2008, 9:50 pm

Spread the word about us.
Never come back to the malware removal section. ( LOL Banner )

Glad I could help. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on 10th December 2008, 9:51 pm

Ok I will and thanks again

ericshin
Intermediate
Intermediate

Posts Posts : 80
Joined Joined : 2008-12-08
Gender Gender : Male
OS OS : microsoft windows xp
Points Points : 29564
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Doctor Inferno on 15th January 2009, 8:15 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum