Please help with trojan.zlob.g!!!

View previous topic View next topic Go down

Solved Please help with trojan.zlob.g!!!

Post by CG79 on 9th December 2008, 9:24 pm

have had that security alert popping up for about 2 days now. my computer has been acting funny, it restarts itself sometimes, closes the internet, a few hours ago it performed a file search on its own. just very weird things going on! I was close to clicking on the alert but decided to read more about it first, glad I did!!! please help me get rid of this virus!!!

here is the hijack list:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:38 AM, on 12/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\1201727513\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Crystal\Application Data\Google\kjzna1562565.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Crystal\My Documents\Programs\Hijack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - (no file)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201727513\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [OpinionSquare] c:\windows\system32\opnsqr.exe -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Smax4] "C:\Documents and Settings\Crystal\Application Data\Google\kjzna1562565.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" -"http://games.myspace.com/MySpace2.0/App/GameShell.aspx?cx=600000&cn=SD%3dXKJ9tGTeb37Oi5%2bb5HiJuQxd1tXUNK52DPFiRxLsxljxbFW02eziIFhuSy%2fWMZmO%26LT%3d0%26CL%3dC%26TO%3d1227397556%26A%3d7dWdLpI%2b3EDa%2bqUUoVl1znZQDPs%3d%26SA%3d7dWdLpI%2b3EDa%2bqUUoVl1znZQDPs%3d&rx=1200000&rn=SD%3dXKJ9tGTeb37Oi5%2bb5HiJuQxd1tXUNK52DPFiRxLsxljxbFW02eziIFhuSy%2fWMZmO%26LT%3d0%26CL%3dR%26TO%3d1227398156%26A%3d6J5rjaQ1sb7u3entEeFZ%2fnPhZMs%3d%26SA%3d6J5rjaQ1sb7u3entEeFZ%2fnPhZMs%3d&ui=jYBvpJRaVHwTgeIFf3epwsieKA8%3d&ux=86400000&un=DA%3d%26SD%3dXKJ9tGTeb37Oi5%2bb5HiJuQxd1tXUNK52DPFiRxLsxljxbFW02eziIFhuSy%2fWMZmO%26LT%3d0%26CL%3dU%26TO%3d1227483356%26A%3d0J2A%2fzbjtsVorS8AKHa7E1dXHxY%3d%26SA%3d0J2A%2fzbjtsVorS8AKHa7E1dXHxY%3d&room=c738e3ce-1869-4bab-ab39-83caed5f488d&code=113399323&channel=110343720&lc=en&refid=&device=-1&carrier=-1&isOmitChat=0&isOmitAddToProfile=0"
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021NVUS
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - [You must be registered and logged in to see this link.]
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\opai.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: OpinionSquare - C:\WINDOWS\System32\opls.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8321 bytes



and here is the uninstall list:
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
AOL Uninstaller (Choose which Products to Remove)
AVG 7.5
Compton's World Atlas
Creative WebCam Center
Creative WebCam Instant Driver (1.00.08.0416)
Dell ResourceCD
HijackThis 2.0.2
Homestead SiteBuilder
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Intel(R) PRO Ethernet Adapter and Software
Linksys EasyLink Advisor 1.5 (1044)
Linksys Wireless-G PCI Adapter
Macromedia Flash Player 8
McAfee.com SecurityCenter
McAfee.com VirusScan Online
Microsoft Money 99
Microsoft Picture It! Photo 2002
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Musicmatch® Jukebox
MySpaceIM
Nero 7 Essentials
QuickTime
QuickTime for Windows (32-bit)
Skype™ 3.8
Sound Blaster Live!
SUPERAntiSpyware Free Edition
The Writing Tutor
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinZip 11.1


________________________________________________________________


please help get this virus off my computer!

thanks,
Crystal

CG79
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-12-09
OS OS : Windows XP
Points Points : 29444
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by Belahzur on 9th December 2008, 11:14 pm

Hello.

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by CG79 on 20th December 2008, 4:33 am

thank you for the combofix suggestion, I ran it and it seemed to delete quite a few files. the trojan.zlob.g pop up thankfully hasn't come back, but I'm still having issues with freezeups on the internet and running programs. it seems I have to run a spyware almost twice a day, at least once a day. do you know what this could be?

here's my current hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:39 PM, on 12/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\1201727513\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Skype\Phone\Skype.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Documents and Settings\Crystal\My Documents\Programs\Hijack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1201727513\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" -"http://games.myspace.com/MySpace2.0/App/GameShell.aspx?cx=600000&cn=SD%3dXKJ9tGTeb37Oi5%2bb5HiJuQxd1tXUNK52DPFiRxLsxljxbFW02eziIFhuSy%2fWMZmO%26LT%3d0%26CL%3dC%26TO%3d1227397556%26A%3d7dWdLpI%2b3EDa%2bqUUoVl1znZQDPs%3d%26SA%3d7dWdLpI%2b3EDa%2bqUUoVl1znZQDPs%3d&rx=1200000&rn=SD%3dXKJ9tGTeb37Oi5%2bb5HiJuQxd1tXUNK52DPFiRxLsxljxbFW02eziIFhuSy%2fWMZmO%26LT%3d0%26CL%3dR%26TO%3d1227398156%26A%3d6J5rjaQ1sb7u3entEeFZ%2fnPhZMs%3d%26SA%3d6J5rjaQ1sb7u3entEeFZ%2fnPhZMs%3d&ui=jYBvpJRaVHwTgeIFf3epwsieKA8%3d&ux=86400000&un=DA%3d%26SD%3dXKJ9tGTeb37Oi5%2bb5HiJuQxd1tXUNK52DPFiRxLsxljxbFW02eziIFhuSy%2fWMZmO%26LT%3d0%26CL%3dU%26TO%3d1227483356%26A%3d0J2A%2fzbjtsVorS8AKHa7E1dXHxY%3d%26SA%3d0J2A%2fzbjtsVorS8AKHa7E1dXHxY%3d&room=c738e3ce-1869-4bab-ab39-83caed5f488d&code=113399323&channel=110343720&lc=en&refid=&device=-1&carrier=-1&isOmitChat=0&isOmitAddToProfile=0"
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021NVUS
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - [You must be registered and logged in to see this link.]
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\System32\opai.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7953 bytes

CG79
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-12-09
OS OS : Windows XP
Points Points : 29444
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by Belahzur on 20th December 2008, 2:46 pm

Hello.
I can't suggest anything until I see the combofix log, so post the combofix log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by CG79 on 22nd December 2008, 8:57 pm

oops, lol

here's the log...

ComboFix 08-12-09.03 - Crystal 2008-12-22 15:49:44.2 - NTFSx86
Running from: c:\documents and settings\Crystal\My Documents\Programs\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-22 15:45 . 2008-12-22 15:46 d-------- C:\32788R22FWJFW.0.tmp
2008-12-08 11:04 . 2008-12-08 11:04 d-------- c:\documents and settings\NetworkService\Application Data\AVG7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 13:01 --------- d-----w c:\documents and settings\Crystal\Application Data\skypePM
2008-12-22 13:00 --------- d-----w c:\documents and settings\Crystal\Application Data\AVG7
2008-12-09 08:38 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-01 00:10 --------- d---a-w c:\documents and settings\Sevarin\Application Data\AVG7
2008-11-26 20:45 --------- d-----w c:\documents and settings\Crystal\Application Data\Skype
2008-11-20 10:08 --------- d-----w c:\program files\Google
2008-11-19 22:54 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-18 09:34 --------- d-----w c:\program files\Skype
2008-11-18 09:34 --------- d-----w c:\program files\Common Files\Skype
2008-11-18 09:34 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-05 15:38 --------- d-----w c:\program files\MySpace Games
2008-11-05 07:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-05 06:53 --------- d-----w c:\documents and settings\Crystal\Application Data\cerasus.media
2008-11-05 06:53 --------- d-----w c:\documents and settings\All Users\Application Data\cerasus.media
2008-11-05 06:51 --------- d-----w c:\program files\Common Files\Oberon Media
2008-11-03 09:46 --------- d-----w c:\documents and settings\Crystal\Application Data\Viewpoint
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 16:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 16:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2008-11-05 15:37:19 39,992 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-13 04:22:50 39,992 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-05 15:37:19 311,604 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-13 04:22:50 311,604 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\program files\Microsoft Money\System\reminder.exe" [1998-07-25 36352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-09 1809648]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-06-03 50528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE" [2008-08-06 447928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-07-29 131072]
"MCAgentExe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2002-09-06 192512]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2002-09-04 151552]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 139264]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-29 53248]
"HostManager"="c:\program files\Common Files\AOL\1201727513\ee\AOLSoftware.exe" [2007-10-08 41824]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-12 219136]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-02 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-09 03:38 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\opai.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

.
Contents of the 'Scheduled Tasks' folder

2008-09-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1201207759.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 23:38]

2008-12-22 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Crystal).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2002-09-04 13:28]

2008-12-22 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Crystal).job
- c:\progra~1\mcafee.com\agent [2008-03-18 01:20]

2008-12-01 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Sevarin).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2002-09-04 13:28]

2008-12-01 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Sevarin).job
- c:\progra~1\mcafee.com\agent [2008-03-18 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - ?p=ZKxdm021NVUS
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -

O16 -: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\WMDownload.dll - O16 -: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\WMDL.inf

c:\windows\Downloaded Program Files\OberonGameHost.dll - O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\OberonGameHost_dbg.inf
FireFox -: Profile - c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\9km0kxkq.default\
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-22 15:50:40
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\System32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(752)
c:\windows\System32\dssenh.dll
.
Completion time: 2008-12-22 15:54:05
ComboFix-quarantined-files.txt 2008-12-22 20:52:39
ComboFix2.txt 2008-12-10 18:10:17

Pre-Run: 51,362,656,256 bytes free
Post-Run: 51,407,577,088 bytes free

141

CG79
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-12-09
OS OS : Windows XP
Points Points : 29444
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by Belahzur on 22nd December 2008, 9:06 pm

Hello.
The log says reduced mode which makes me think you weren't able to connect to the bleepingcomputer link.
Before we continue, I need to know if you weren't able to connect to bleepingcomputer?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by CG79 on 22nd December 2008, 11:53 pm

I ran it twice, the first time was about a week ago, it said it was deleting quite a few files, then when it finished it restarted my computer.

I misunderstood about the which log to give you, and gave you the hijack log. so when you asked for the combofix log, I just reran the combofix program. When it started up, it said that combofix had expired and if I wanted to run it in reduced mode, so I did that just to get the log. Do I need to download combofix again and rerun the program?

CG79
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-12-09
OS OS : Windows XP
Points Points : 29444
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by Belahzur on 22nd December 2008, 11:55 pm

I see.
Yes, we need an updated log.
Please get a new version of combofix and run that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by CG79 on 23rd December 2008, 1:56 am

ok I downloaded combofix again from the link above and got the log...

ComboFix 08-12-21.04 - Crystal 2008-12-22 20:41:42.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.255.27 [GMT -5:00]
Running from: c:\documents and settings\Crystal\My Documents\Programs\ComboFix1.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-22 15:45 . 2008-12-22 15:46 d-------- C:\32788R22FWJFW.0.tmp
2008-12-08 11:04 . 2008-12-08 11:04 d-------- c:\documents and settings\NetworkService\Application Data\AVG7

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 21:01 --------- d-----w c:\documents and settings\Crystal\Application Data\skypePM
2008-12-22 13:00 --------- d-----w c:\documents and settings\Crystal\Application Data\AVG7
2008-12-09 08:38 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-01 00:10 --------- d---a-w c:\documents and settings\Sevarin\Application Data\AVG7
2008-11-26 20:45 --------- d-----w c:\documents and settings\Crystal\Application Data\Skype
2008-11-20 10:08 --------- d-----w c:\program files\Google
2008-11-19 22:54 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-18 09:34 --------- d-----w c:\program files\Skype
2008-11-18 09:34 --------- d-----w c:\program files\Common Files\Skype
2008-11-18 09:34 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-11-05 15:38 --------- d-----w c:\program files\MySpace Games
2008-11-05 07:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-05 06:53 --------- d-----w c:\documents and settings\Crystal\Application Data\cerasus.media
2008-11-05 06:53 --------- d-----w c:\documents and settings\All Users\Application Data\cerasus.media
2008-11-05 06:51 --------- d-----w c:\program files\Common Files\Oberon Media
2008-11-03 09:46 --------- d-----w c:\documents and settings\Crystal\Application Data\Viewpoint
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 16:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 16:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2008-11-05 15:37:19 39,992 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-13 04:22:50 39,992 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-05 15:37:19 311,604 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-13 04:22:50 311,604 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="c:\program files\Microsoft Money\System\reminder.exe" [1998-07-25 36352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-09 1809648]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"AOL Fast Start"="c:\program files\AOL 9.1\AOL.EXE" [2008-06-03 50528]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE" [2008-08-06 447928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2004-07-29 131072]
"MCAgentExe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2002-09-06 192512]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2002-09-04 151552]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 139264]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-29 53248]
"HostManager"="c:\program files\Common Files\AOL\1201727513\ee\AOLSoftware.exe" [2007-10-08 41824]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-02-12 219136]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-09-02 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-09 03:38 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\opai.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-02-29 55024]
R3 NaiFiltr;NaiFiltr;c:\windows\System32\DRIVERS\NaiFiltr.sys [2008-01-22 23296]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-09-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1201207759.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 23:38]

2008-12-22 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Crystal).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2002-09-04 13:28]

2008-12-22 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Crystal).job
- c:\progra~1\mcafee.com\agent [2008-03-18 01:20]

2008-12-01 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Sevarin).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2002-09-04 13:28]

2008-12-01 c:\windows\Tasks\McAfee.com Update Check (CMYSTIC-Sevarin).job
- c:\progra~1\mcafee.com\agent [2008-03-18 01:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search - ?p=ZKxdm021NVUS
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -

O16 -: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\WMDownload.dll - O16 -: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\WMDL.inf

c:\windows\Downloaded Program Files\OberonGameHost.dll - O16 -: {D0C0F75C-683A-4390-A791-1ACFD5599AB8}
[You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\OberonGameHost_dbg.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-22 20:48:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\System32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(752)
c:\windows\System32\dssenh.dll
.
Completion time: 2008-12-22 20:51:40
ComboFix-quarantined-files.txt 2008-12-23 01:51:19
ComboFix2.txt 2008-12-22 20:54:07
ComboFix3.txt 2008-12-10 18:10:17

Pre-Run: 51,379,204,096 bytes free
Post-Run: 51,388,637,184 bytes free

147

CG79
Intermediate
Intermediate

Posts Posts : 53
Joined Joined : 2008-12-09
OS OS : Windows XP
Points Points : 29444
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by Belahzur on 23rd December 2008, 1:59 am


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Please help with trojan.zlob.g!!!

Post by Doctor Inferno on 24th January 2009, 10:23 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum