trojan.zlob.g - eric

View previous topic View next topic Go down

Solved High Jack this log

Post by ericshin on Wed Dec 10, 2008 9:00 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:43 a.m., on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5312 bytes

ericshin
Intermediate
Intermediate

Status :
Online
Offline

Posts : 80
Joined : 2008-12-08
Gender : Male
OS : microsoft windows xp

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on Wed Dec 10, 2008 9:08 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\WINDOWS\System32\wgalogon.exe
    C:\WINDOWS\System32\wgalogon.dll

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved moveit log

Post by ericshin on Wed Dec 10, 2008 9:22 pm

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\WINDOWS\System32\wgalogon.exe not found.
File/Folder C:\WINDOWS\System32\wgalogon.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_IK3qFX0q0Acz0a9j5T2v scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_101749

Files moved on Reboot...
File C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_IK3qFX0q0Acz0a9j5T2v not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl moved successfully.

ericshin
Intermediate
Intermediate

Status :
Online
Offline

Posts : 80
Joined : 2008-12-08
Gender : Male
OS : microsoft windows xp

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on Wed Dec 10, 2008 9:27 pm

Okay, the wga files aren't present on this machines.
You may just have to ignore the activation warnings.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on Wed Dec 10, 2008 9:29 pm

so you mean the activation warnings are fake and i don't actually have to activate my windows?

ericshin
Intermediate
Intermediate

Status :
Online
Offline

Posts : 80
Joined : 2008-12-08
Gender : Male
OS : microsoft windows xp

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on Wed Dec 10, 2008 9:36 pm

Well no.
The alerts are real, it just means you won't be able to use the following:

Windows Media Player 11 and above
MSN Messenger 9 and above
Internet Explorer 7 and above

But there is alternatives to that.

Winamp or VLC Media Player
Trillian Messenger
Firefox Or Google Chrome


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on Wed Dec 10, 2008 9:46 pm

Ok that's cool because i don't use those first three things anyway. But i alwaysthought that if i don't activate my windows it means i can't use my computer?

Anyway thanks for all this Belahzur.

ericshin
Intermediate
Intermediate

Status :
Online
Offline

Posts : 80
Joined : 2008-12-08
Gender : Male
OS : microsoft windows xp

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on Wed Dec 10, 2008 9:48 pm

No.
My machine isn't activated, I can still use mine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on Wed Dec 10, 2008 9:48 pm

Ok Thanks alot. Is there anything i can do for you in return?

ericshin
Intermediate
Intermediate

Status :
Online
Offline

Posts : 80
Joined : 2008-12-08
Gender : Male
OS : microsoft windows xp

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Belahzur on Wed Dec 10, 2008 9:50 pm

Spread the word about us.
Never come back to the malware removal section. ( LOL Banner )

Glad I could help. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by ericshin on Wed Dec 10, 2008 9:51 pm

Ok I will and thanks again

ericshin
Intermediate
Intermediate

Status :
Online
Offline

Posts : 80
Joined : 2008-12-08
Gender : Male
OS : microsoft windows xp

View user profile

Back to top Go down

Solved Re: trojan.zlob.g - eric

Post by Doctor Inferno on Thu Jan 15, 2009 8:15 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum