Trojan.Zlob.G HijackThis + ComboFix

View previous topic View next topic Go down

Solved Trojan.Zlob.G HijackThis + ComboFix

Post by Skitta on 11th December 2008, 1:14 am

After looking through some other threads I've taken the liberty of installing and scanning with both of these. I recognize some things in the log but SuperAntiSpyware and AVG have both failed to clean them. Here are the logs


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:58 PM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Pidgin\pidgin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jon\Desktop\HiJack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GetModule30] "C:\Program Files\GetModule\GetModule30.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Jon\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7092 bytes

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29344
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Skitta on 11th December 2008, 1:14 am

ComboFix 08-12-09.03 - Jon 2008-12-10 17:07:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1352 [GMT -8:00]
Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jon\Application Data\gadcom
c:\documents and settings\Jon\Application Data\gadcom\merman.exe
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\8ryK1358.exe.a_a
c:\windows\system32\m057OJ70.exe.a_a
c:\windows\wiaserviv.log
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-10 17:02 . 2008-12-10 17:02 389,120 --a------ c:\windows\system32\CF29520.exe
2008-12-10 16:06 . 2008-12-10 16:06 d-------- c:\program files\SUPERAntiSpyware
2008-12-10 16:06 . 2008-12-10 16:06 d-------- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com
2008-12-10 16:06 . 2008-12-10 16:06 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-10 15:57 . 2008-12-10 15:57 d-------- c:\documents and settings\Jon\Application Data\PC Tools
2008-12-10 10:02 . 2008-12-10 15:52 d-------- c:\program files\Spyware Doctor
2008-12-10 10:02 . 2008-12-10 10:02 d-------- c:\program files\Common Files\Download Manager
2008-12-10 10:02 . 2008-06-10 21:22 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-10 10:02 . 2008-06-02 15:19 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-10 10:02 . 2008-06-02 15:19 42,376 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-10 10:02 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-11-20 12:44 . 2008-11-20 12:44 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-11-15 21:19 . 2008-11-15 21:19 d-------- c:\program files\Ventrilo
2008-11-15 21:18 . 2008-11-15 21:19 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-12 05:07 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 05:07 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 01:04 --------- d-----w c:\documents and settings\Jon\Application Data\.purple
2008-12-11 00:45 --------- d-----w c:\documents and settings\Jon\Application Data\OpenOffice.org2
2008-12-11 00:05 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 00:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-10 23:57 --------- d-----w c:\program files\Xfire
2008-12-10 23:57 --------- d-----w c:\documents and settings\Jon\Application Data\Xfire
2008-12-10 23:57 --------- d-----w c:\documents and settings\Jon\Application Data\uTorrent
2008-12-10 23:53 --------- d-----w c:\documents and settings\Jon\Application Data\DAEMON Tools
2008-12-10 23:52 --------- d-----w c:\documents and settings\Jon\Application Data\gtk-2.0
2008-12-10 23:50 --------- d-----w c:\documents and settings\Jon\Application Data\LimeWire
2008-12-09 03:54 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-09 03:54 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-20 05:11 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-11-16 05:19 --------- d-----w c:\documents and settings\Jon\Application Data\Ventrilo
2008-11-11 03:44 22,328 ----a-w c:\documents and settings\Jon\Application Data\PnkBstrK.sys
2008-11-11 03:43 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-11-11 03:43 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-11 03:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 03:32 --------- d-----w c:\program files\Activision
2008-11-09 09:53 --------- d-----w c:\documents and settings\Jon\Application Data\Red Alert 3
2008-10-31 00:07 --------- d-----w c:\documents and settings\Jon\Application Data\Bioshock
2008-10-30 19:31 --------- d-----w c:\program files\DAEMON Tools Lite
2008-10-30 19:16 --------- d-----w c:\program files\Bethesda Softworks
2008-10-30 18:51 --------- d-----w c:\program files\DAEMON Tools Toolbar
2008-10-28 05:36 --------- d-----w c:\documents and settings\Jon\Application Data\mIRC
2008-10-28 05:11 --------- d-----w c:\program files\mIRC
2008-10-28 01:58 --------- d-----w c:\program files\AGEIA Technologies
2008-10-28 01:49 --------- d-----w c:\program files\SystemRequirementsLab
2008-10-28 01:49 --------- d-----w c:\documents and settings\Jon\Application Data\SystemRequirementsLab
2008-10-27 18:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 18:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 18:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 18:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-14 15:43 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-10 12:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 12:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 12:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-02 17:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-28 09:06 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"WinDNN"="c:\documents and settings\Jon\Application Data\Google\klnxv19819115.exe" [2008-12-09 123392]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"razer"="c:\program files\Razer\razerhid.exe" [2005-05-17 147456]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\Jon\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]
Xfire.lnk - c:\program files\Xfire\xfire.exe [2008-11-20 2986320]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053\Belkinwcui.exe [2007-07-02 1728512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-12 16:05 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Documents and Settings\\Jon\\Local Settings\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=
"c:\\Games\\Valve\\Steam\\SteamApps\\captainskittles\\counter-strike source\\hl2.exe"=
"c:\games\Combat Arms\CombatArms.exe"= c:\games\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\games\Combat Arms\Engine.exe"= c:\games\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Tortun\\gui.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\Jon\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Games\\Valve\\Steam\\SteamApps\\captainskittles\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Games\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Games\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Games\\Valve\\Steam\\SteamApps\\captainskittles\\age of chivalry\\hl2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Games\\Combat Arms\\NMService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-28 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-09-28 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-28 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-09-28 76040]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2007-05-09 503680]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2008-03-21 13225]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-10 356920]
S3 XDva120;XDva120;\??\c:\windows\system32\XDva120.sys []

*Newly Created Service* - PROCEXP90
.

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29344
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Skitta on 11th December 2008, 1:15 am

.
Contents of the 'Scheduled Tasks' folder

2008-12-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-10 c:\windows\Tasks\At1.job
- c:\windows\system32\8ryK1358.exe []

2008-12-07 c:\windows\Tasks\At10.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At11.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At12.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At13.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At14.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At15.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At16.job
- c:\windows\system32\8ryK1358.exe []

2008-12-11 c:\windows\Tasks\At17.job
- c:\windows\system32\8ryK1358.exe []

2008-12-11 c:\windows\Tasks\At18.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At19.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At2.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At20.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At21.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At22.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At23.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At24.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At25.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At26.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At27.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At28.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At29.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At3.job
- c:\windows\system32\8ryK1358.exe []

2008-12-07 c:\windows\Tasks\At30.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At31.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At32.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At33.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At34.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At35.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At36.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At37.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At38.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At39.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At4.job
- c:\windows\system32\8ryK1358.exe []

2008-12-10 c:\windows\Tasks\At40.job
- c:\windows\system32\m057OJ70.exe []

2008-12-11 c:\windows\Tasks\At41.job
- c:\windows\system32\m057OJ70.exe []

2008-12-11 c:\windows\Tasks\At42.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At43.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At44.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At45.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At46.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At47.job
- c:\windows\system32\m057OJ70.exe []

2008-12-10 c:\windows\Tasks\At48.job
- c:\windows\system32\m057OJ70.exe []

2008-12-07 c:\windows\Tasks\At5.job
- c:\windows\system32\8ryK1358.exe []

2008-12-07 c:\windows\Tasks\At6.job
- c:\windows\system32\8ryK1358.exe []

2008-12-07 c:\windows\Tasks\At7.job
- c:\windows\system32\8ryK1358.exe []

2008-12-07 c:\windows\Tasks\At8.job
- c:\windows\system32\8ryK1358.exe []

2008-12-07 c:\windows\Tasks\At9.job
- c:\windows\system32\8ryK1358.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-GetModule30 - c:\program files\GetModule\GetModule30.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
FireFox -: Profile - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\
FF -: plugin - c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - c:\documents and settings\Jon\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0806260_SUA_900\npoctoshape.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-10 17:08:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\avgrsstx.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-10 17:10:15
ComboFix-quarantined-files.txt 2008-12-11 01:09:26

Pre-Run: 66,302,812,160 bytes free
Post-Run: 68,867,272,704 bytes free

318 --- E O F --- 2008-12-10 17:58:04

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29344
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Belahzur on 11th December 2008, 1:22 am

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\documents and settings\Jon\Application Data\Google\klnxv19819115.exe
    c:\windows\Tasks\At*.job
    c:\windows\system32\m057OJ70.exe
    c:\windows\system32\8ryK1358.exe

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinDNN"=-

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Skitta on 11th December 2008, 4:06 am

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\documents and settings\Jon\Application Data\Google\klnxv19819115.exe moved successfully.
c:\windows\Tasks\At1.job moved successfully.
c:\windows\Tasks\At10.job moved successfully.
c:\windows\Tasks\At11.job moved successfully.
c:\windows\Tasks\At12.job moved successfully.
c:\windows\Tasks\At13.job moved successfully.
c:\windows\Tasks\At14.job moved successfully.
c:\windows\Tasks\At15.job moved successfully.
c:\windows\Tasks\At16.job moved successfully.
c:\windows\Tasks\At17.job moved successfully.
c:\windows\Tasks\At18.job moved successfully.
c:\windows\Tasks\At19.job moved successfully.
c:\windows\Tasks\At2.job moved successfully.
c:\windows\Tasks\At20.job moved successfully.
c:\windows\Tasks\At21.job moved successfully.
c:\windows\Tasks\At22.job moved successfully.
c:\windows\Tasks\At23.job moved successfully.
c:\windows\Tasks\At24.job moved successfully.
c:\windows\Tasks\At25.job moved successfully.
c:\windows\Tasks\At26.job moved successfully.
c:\windows\Tasks\At27.job moved successfully.
c:\windows\Tasks\At28.job moved successfully.
c:\windows\Tasks\At29.job moved successfully.
c:\windows\Tasks\At3.job moved successfully.
c:\windows\Tasks\At30.job moved successfully.
c:\windows\Tasks\At31.job moved successfully.
c:\windows\Tasks\At32.job moved successfully.
c:\windows\Tasks\At33.job moved successfully.
c:\windows\Tasks\At34.job moved successfully.
c:\windows\Tasks\At35.job moved successfully.
c:\windows\Tasks\At36.job moved successfully.
c:\windows\Tasks\At37.job moved successfully.
c:\windows\Tasks\At38.job moved successfully.
c:\windows\Tasks\At39.job moved successfully.
c:\windows\Tasks\At4.job moved successfully.
c:\windows\Tasks\At40.job moved successfully.
c:\windows\Tasks\At41.job moved successfully.
c:\windows\Tasks\At42.job moved successfully.
c:\windows\Tasks\At43.job moved successfully.
c:\windows\Tasks\At44.job moved successfully.
c:\windows\Tasks\At45.job moved successfully.
c:\windows\Tasks\At46.job moved successfully.
c:\windows\Tasks\At47.job moved successfully.
c:\windows\Tasks\At48.job moved successfully.
c:\windows\Tasks\At5.job moved successfully.
c:\windows\Tasks\At6.job moved successfully.
c:\windows\Tasks\At7.job moved successfully.
c:\windows\Tasks\At8.job moved successfully.
c:\windows\Tasks\At9.job moved successfully.
File/Folder c:\windows\system32\m057OJ70.exe not found.
File/Folder c:\windows\system32\8ryK1358.exe not found.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WinDNN deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jqm60oKCbJDDLTWIdIBX scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\~DF7250.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12102008_195957

Files moved on Reboot...
File C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jqm60oKCbJDDLTWIdIBX not found!
C:\DOCUME~1\Jon\LOCALS~1\Temp\~DF7250.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Jon\Local Settings\Application Data\Mozilla\Firefox\Profiles\8lj40kzt.default\XUL.mfl moved successfully.

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29344
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Belahzur on 11th December 2008, 4:57 pm

Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Skitta on 12th December 2008, 1:27 am

None. I appreciate your help, you're the best Smile

Skitta
Novice
Novice

Posts Posts : 24
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29344
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Belahzur on 12th December 2008, 1:35 am

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G HijackThis + ComboFix

Post by Doctor Inferno on 15th January 2009, 8:27 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum