Trojan.ZlobG

View previous topic View next topic Go down

Solved Trojan.ZlobG

Post by decojr on 11th December 2008, 2:38 am

Keep getting a message from Windows firewall saying I'm suffering from Trojan.Zlob.G and then it gives me a link to download some fake malware removal. Also when I try to open a web page i see "Insecure internet security. Threat of Virus Attack" I've read the posts and see that others are suffering from similar problems. I've noticed the virus name changes for some people though. Please help me

Here is my combofix log:


ComboFix 08-12-09.03 - stepahnie 2008-12-10 21:00:27.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.0.1252.1.1033.18.361 [GMT -5:00]
Running from: c:\users\stepahnie\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\stepahnie\AppData\Roaming\inst.exe
c:\windows\system32\MabryObj.dll
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-10 02:52 . 2008-06-22 20:59 2,868,736 --a--c--- c:\windows\System32\mf.dll
2008-12-10 02:52 . 2008-06-22 20:59 996,352 --a--c--- c:\windows\System32\WMNetMgr.dll
2008-12-10 02:52 . 2008-06-22 20:58 94,720 --a--c--- c:\windows\System32\logagent.exe
2008-12-10 02:37 . 2008-10-21 00:25 296,960 --a--c--- c:\windows\System32\gdi32.dll
2008-12-10 02:35 . 2008-10-29 01:29 2,927,104 --a--c--- c:\windows\explorer.exe
2008-12-10 01:39 . 2008-12-10 20:41 d----c--- c:\program files\Panda Security
2008-12-09 03:58 . 2008-12-09 03:58 d----c--- c:\program files\Common Files\Wise Installation Wizard
2008-12-08 20:05 . 2008-12-08 20:05 d----c--- c:\users\All Users\WindowsSearch
2008-12-08 20:05 . 2008-12-08 20:05 d----c--- c:\programdata\WindowsSearch
2008-12-08 19:29 . 2008-12-08 19:29 d--h-c--- c:\windows\PIF
2008-12-08 19:19 . 2008-12-08 19:19 109,744 --a--c--- c:\windows\System32\drivers\SYMEVENT.SYS
2008-12-08 19:19 . 2008-12-08 19:19 8,014 --a--c--- c:\windows\System32\drivers\SYMEVENT.CAT
2008-12-08 19:19 . 2008-12-08 19:19 805 --a--c--- c:\windows\System32\drivers\SYMEVENT.INF
2008-12-08 19:18 . 2008-12-08 19:18 d----c--- c:\program files\Symantec AntiVirus
2008-12-08 04:01 . 2008-12-08 04:01 d----c--- c:\users\stepahnie\AppData\Roaming\Malwarebytes
2008-12-08 04:01 . 2008-12-08 04:01 d----c--- c:\users\All Users\Malwarebytes
2008-12-08 04:01 . 2008-12-08 04:01 d----c--- c:\programdata\Malwarebytes
2008-12-08 04:01 . 2008-12-08 04:01 d----c--- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 04:01 . 2008-12-03 19:53 38,496 --a--c--- c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-08 04:01 . 2008-12-03 19:53 15,504 --a--c--- c:\windows\System32\drivers\mbam.sys
2008-12-08 02:43 . 2008-02-22 23:38 170,496 --a--c--- c:\windows\System32\tcpipcfg.dll
2008-12-08 02:43 . 2008-02-22 21:41 22,528 --a--c--- c:\windows\System32\netiougc.exe
2008-12-08 02:42 . 2008-12-08 02:42 d----c--- c:\program files\Zone Labs
2008-12-08 02:42 . 2008-08-21 20:41 1,221,008 --a--c--- c:\windows\System32\zpeng25.dll
2008-12-08 02:40 . 2008-12-08 02:42 d----c--- c:\windows\System32\ZoneLabs
2008-12-08 02:40 . 2008-12-10 19:05 348,371 --ah-c--- c:\windows\System32\drivers\vsconfig.xml
2008-12-08 02:40 . 2008-08-21 20:42 294,288 --a--c--- c:\windows\System32\drivers\vsdatant.sys
2008-12-07 16:19 . 2008-12-07 16:19 d----c--- c:\users\stepahnie\AppData\Roaming\Grisoft
2008-12-07 16:18 . 2008-12-07 16:18 d----c--- c:\users\All Users\Grisoft
2008-12-07 16:18 . 2008-12-07 16:18 d----c--- c:\programdata\Grisoft
2008-12-07 16:18 . 2007-05-30 07:10 10,872 --a--c--- c:\windows\System32\drivers\AvgAsCln.sys
2008-12-07 13:07 . 2008-05-27 00:18 350,208 --a--c--- c:\windows\System32\mssph.dll
2008-12-07 13:07 . 2008-05-27 00:18 203,776 --a--c--- c:\windows\System32\mssphtb.dll
2008-12-06 19:03 . 2008-12-06 19:03 d----c--- C:\PerfLogs
2008-12-06 17:49 . 2008-12-06 18:05 d----c--- c:\program files\Eusing Free Registry Cleaner
2008-12-04 19:16 . 2008-12-04 19:16 d----c--- c:\program files\CCleaner
2008-12-04 17:43 . 2008-12-08 17:57 d----c--- c:\program files\Alwil Software
2008-11-29 00:51 . 2008-11-29 00:51 d----c--- c:\program files\Common Files\Apple
2008-11-29 00:48 . 2008-11-29 00:48 d----c--- c:\users\All Users\Apple
2008-11-29 00:48 . 2008-11-29 00:48 d----c--- c:\programdata\Apple
2008-11-29 00:48 . 2008-11-29 00:48 d----c--- c:\program files\Apple Software Update
2008-11-28 14:50 . 2008-11-28 14:50 dr---c--- c:\windows\System32\config\systemprofile\Music
2008-11-26 19:23 . 2008-10-21 00:25 1,645,568 --a--c--- c:\windows\System32\connect.dll
2008-11-26 19:23 . 2008-08-27 22:40 712,704 --a--c--- c:\windows\System32\WindowsCodecs.dll
2008-11-26 19:23 . 2008-08-27 22:40 425,472 --a--c--- c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 19:23 . 2008-08-27 22:40 347,136 --a--c--- c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 19:23 . 2008-10-21 22:57 241,152 --a--c--- c:\windows\System32\PortableDeviceApi.dll
2008-11-26 19:23 . 2008-01-19 02:36 160,768 --a--c--- c:\windows\System32\PortableDeviceTypes.dll
2008-11-26 19:23 . 2008-01-19 02:36 94,720 --a--c--- c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-13 22:08 . 2008-12-08 23:41 d----c--- c:\program files\TVAnts
2008-11-13 20:14 . 2008-11-13 20:14 d----c--- c:\windows\Sun
2008-11-13 20:07 . 2008-10-16 16:13 1,809,944 --a--c--- c:\windows\System32\wuaueng.dll
2008-11-13 20:07 . 2008-10-16 15:56 1,524,736 --a--c--- c:\windows\System32\wucltux.dll
2008-11-13 20:07 . 2008-10-16 16:12 561,688 --a--c--- c:\windows\System32\wuapi.dll
2008-11-13 20:07 . 2008-10-16 15:55 83,456 --a--c--- c:\windows\System32\wudriver.dll
2008-11-13 20:07 . 2008-10-16 16:09 51,224 --a--c--- c:\windows\System32\wuauclt.exe
2008-11-13 20:07 . 2008-10-16 16:09 43,544 --a--c--- c:\windows\System32\wups2.dll
2008-11-13 20:07 . 2008-10-16 16:08 34,328 --a--c--- c:\windows\System32\wups.dll
2008-11-13 20:06 . 2008-10-16 14:08 162,064 --a--c--- c:\windows\System32\wuwebv.dll
2008-11-13 20:06 . 2008-10-16 13:56 31,232 --a--c--- c:\windows\System32\wuapp.exe
2008-11-12 17:35 . 2008-08-26 20:05 212,480 --a--c--- c:\windows\System32\drivers\mrxsmb10.sys
2008-11-11 15:27 . 2008-09-05 00:14 1,191,936 --a--c--- c:\windows\System32\msxml3.dll
2008-11-11 15:26 . 2008-09-09 22:40 1,334,272 --a--c--- c:\windows\System32\msxml6.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 02:00 --------- dc--a-w c:\programdata\TEMP
2008-12-09 09:36 --------- dc----w c:\programdata\Spybot - Search & Destroy
2008-12-09 00:20 --------- dc----w c:\programdata\Symantec
2008-12-09 00:19 --------- dc----w c:\program files\Symantec
2008-12-09 00:19 --------- dc----w c:\program files\Common Files\Symantec Shared
2008-12-07 00:15 174 --sha-w c:\program files\desktop.ini
2008-12-07 00:05 --------- dc----w c:\program files\Windows Sidebar
2008-12-07 00:05 --------- dc----w c:\program files\Windows Photo Gallery
2008-12-07 00:05 --------- dc----w c:\program files\Windows Mail
2008-12-07 00:05 --------- dc----w c:\program files\Windows Journal
2008-12-07 00:05 --------- dc----w c:\program files\Windows Defender
2008-12-07 00:05 --------- dc----w c:\program files\Windows Calendar
2008-12-07 00:05 --------- d-----w c:\program files\Windows Collaboration
2008-12-06 23:47 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-12-06 23:47 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-12-06 07:34 --------- dc----w c:\users\stepahnie\AppData\Roaming\FileMaker
2008-12-06 07:34 --------- dc----w c:\users\stepahnie\AppData\Roaming\Download Manager
2008-12-06 07:34 --------- dc----w c:\users\stepahnie\AppData\Roaming\CyberLink
2008-12-06 07:34 --------- dc----w c:\users\stepahnie\AppData\Roaming\Amazon
2008-12-06 07:34 --------- dc----w c:\users\stepahnie\AppData\Roaming\acccore
2008-12-05 06:55 --------- dc----w c:\programdata\WholeSecurity
2008-12-04 17:52 --------- dc----w c:\program files\Spybot - Search & Destroy
2008-12-02 10:07 --------- dc----w c:\program files\StudySmart
2008-11-29 05:51 --------- dc----w c:\program files\QuickTime
2008-11-29 05:50 --------- dc----w c:\programdata\Apple Computer
2008-11-27 17:01 --------- dc----w c:\programdata\Microsoft Help
2008-11-14 02:48 --------- dc----w c:\users\stepahnie\AppData\Roaming\SopCast
2008-11-03 20:38 32,132,615 -c--a-w c:\users\stepahnie\Symantec AV - Ver. 10.2 - Vista (32 bit) - unmanaged - 01MAR.exe
2008-10-30 21:01 --------- dc----w c:\program files\Amazon
2008-10-30 16:42 --------- dc----w c:\program files\Microsoft Works
2008-10-02 03:49 827,392 -c--a-w c:\windows\System32\wininet.dll
2008-09-30 21:43 1,286,152 -c--a-w c:\windows\System32\msxml4.dll
2008-09-18 05:09 3,601,464 -c--a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 -c--a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 -c--a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 -c--a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 -c--a-w c:\windows\System32\win32k.sys
2007-11-28 04:00 8 -c--a-w c:\users\stepahnie\AppData\Roaming\usb.dat.bin
2007-11-26 16:56 47,360 -c--a-w c:\users\stepahnie\AppData\Roaming\pcouffin.sys
2007-07-01 23:48 0 -c--a-w c:\users\stepahnie\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by decojr on 11th December 2008, 2:41 am

HERE IS THE REST OF THE LOG FROM COMBO FIX

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smax4v"="c:\users\stepahnie\AppData\Roaming\Google\windep.exe" [2008-12-06 128000]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-21 981904]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Compaq Connections.lnk]
backup=c:\windows\pss\Compaq Connections.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^stepahnie^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^stepahnie^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a--c--- 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 15:21 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
--a--c--- 2008-06-12 14:37 50520 c:\users\stepahnie\AppData\Roaming\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2007-11-20 16:40 731136 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a--c--- 2008-01-19 02:33 125952 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-11-06 04:05 106496 c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
--a--c--- 2007-06-05 11:12 71176 c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 02:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
--a------ 2006-10-18 12:32 472800 c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2006-11-06 04:02 98304 c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-11-06 04:02 81920 c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-11-06 13:58 159744 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--a------ 2006-12-02 19:32 167936 c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-07 02:43 77824 c:\program files\Java\jre1.6.0\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-11-15 01:02 815104 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-03 01:36 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
--a------ 2006-10-18 12:56 317152 c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a--c--- 2008-01-19 02:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a--c--- 2007-06-11 20:16 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Trojan.ZlobG

Post by decojr on 11th December 2008, 2:42 am

AND THIS IS THE LAST OF THE COMBO FIX LOG


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{912E4D46-9443-4355-BFFD-FB17D1033BBB}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{88E37DE1-BF38-4EAF-9FE1-518E9C159753}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A03BCDD1-BC60-4290-B48B-B85FE0EE7605}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{F0484DEF-8161-4100-BC94-B92C63F6C992}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{117D3D41-9CBC-4A77-8F6F-FD23E365AB86}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{591AC6C7-9C04-4FC7-A1D7-860D35446253}"= c:\program files\Compaq Connections\3572475\Program\Compaq Connections:Compaq Connections
"{CF896297-B062-46A0-9418-340FAACC54EB}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{C3270D6A-EBA1-48AF-B455-D06CEB6E7E68}"= TCP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{B2761C83-086B-460F-B618-FC413E458717}"= UDP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{63836B04-D758-4976-98BF-91A26EA796F5}"= TCP:c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe:Compaq Connections
"{1728CC25-CFF7-4DE1-922A-B761022F0C74}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{602094BE-385C-4951-A490-686FB9257ECF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{75D4F8F0-3B32-4451-B767-AC96FEC0289E}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6A0DEB76-5B19-4418-A0BB-06F266E551C6}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3AF834DA-4EDF-4596-8A60-07C784A5D13F}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{18D85347-A6E7-48C4-8DEB-A18714534CA5}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{48F53658-4F05-4BC5-B0E9-1292260D79A3}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FD5E27EC-5210-4FE6-82DF-8EF0F7E2F618}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{BDD2E88D-EFDB-48DA-98F5-8565EE44ECE8}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{0EC65DB1-69E3-4BEC-A27D-D23970516923}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3801A64E-73F1-425C-9949-696869046D85}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{85482554-61DE-4831-BFA9-BC8CAFC4B0B9}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{E08442CB-09D4-4F81-8961-1026F69F62B4}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2375684C-D408-4C4B-9B16-CCCD65FFD758}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A5CF0C84-7D6A-44F6-A032-21468B924DF7}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{6B16D9C8-8E9A-4549-9571-825A79B479D9}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{5FF0AA66-D02A-409C-944A-862368DE09B8}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"TCP Query User{5374904A-09D6-48B4-81C0-609F47ACCD37}c:\\users\\stepahnie\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= UDP:c:\users\stepahnie\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"UDP Query User{4DCDE70C-C20A-4F8F-B806-789FB2E32392}c:\\users\\stepahnie\\appdata\\roaming\\sopcast\\adv\\sopadver.exe"= TCP:c:\users\stepahnie\appdata\roaming\sopcast\adv\sopadver.exe:sopadver.exe
"TCP Query User{681E3168-1D4D-49FC-AF98-42A31A936A8B}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{5339DAAE-F675-40BF-A19E-7C0BC3B86087}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{DC8B52A8-1607-4CC0-98AC-791BB92A16B6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{21195A60-3239-4AD4-8A9B-8EC33238D8F6}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C93AFDFE-ECE0-40BF-8C2A-D3B30A44A9D4}c:\\program files\\rhapsody\\rhapsody.exe"= UDP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{C849CF94-A3E6-48B7-B8F2-4047B772A35F}c:\\program files\\rhapsody\\rhapsody.exe"= TCP:c:\program files\rhapsody\rhapsody.exe:RealNetworks Rhapsody
"TCP Query User{FA46EDC6-D8FF-488E-9082-FE18F7A1F3A6}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{ED7D791A-671F-4FB0-AA6F-461D6A534DDC}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{96D732B5-AD4A-4D38-B905-B8E4522A1B29}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{B0121ACF-CA68-43E2-A280-0E1F83A45E43}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{AF5E16A8-1D55-46B9-8F75-A09FC326D416}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{249050C8-545E-4FCF-9BE3-06694E823EF5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2800CD59-0AF2-47F5-891C-80ED251D009A}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{89DCF05B-8BB1-458B-9CB8-75B3F4601095}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{69710386-4344-4E06-81A6-A4276266C1F3}"= UDP:c:\users\stepahnie\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{B13B595E-AAD5-4F15-8C5F-CB980BF0934E}"= TCP:c:\users\stepahnie\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{834853B5-6B23-49B1-BF59-64F5CC94AB43}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{022E4F72-5570-4D23-A4F2-C3EE83166BB2}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{514178C2-CDE6-433D-A8FE-81DA9626C874}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{38DCAD1A-B254-4513-99E2-C0C33CCE9F42}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{DB4A0F0E-A1A9-441A-9F5D-B5C2AD8A0A42}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{43D7AF82-7E83-4D63-A0A6-850BEFF05F7A}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{7E088C65-631E-4B4E-8152-8F5554617045}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7617604E-9A63-4A97-9C10-9818D4766BFE}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{64F90B84-F66E-4646-8F2D-C801E02508DD}"= UDP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{18F7457C-AA89-419D-B41E-F8A245236864}"= TCP:c:\program files\Alwil Software\Avast4\ashAvast.exe:avast! Antivirus
"{50217275-BAC3-4356-916E-414722DDF548}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{5389BCC0-43BD-4113-AB4E-6FA3B9357764}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{EC8B0028-5545-4A33-8825-463F75C0BA12}"= UDP:c:\program files\LG Software Innovations\1Click DVD Copy 5\1ClickDvdCopy.exe:1Click DVD Copy
"{45243EE0-46F0-4875-94E0-F1B2E9630932}"= TCP:c:\program files\LG Software Innovations\1Click DVD Copy 5\1ClickDvdCopy.exe:1Click DVD Copy

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\program files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch

"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\program files\ExamSoft\SofTest.exe:*:Enabled:SofTest

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-08 99376]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-01-19 3768]
S3 AMQHAZK;AMQHAZK;c:\users\STEPAH~1\AppData\Local\Temp\AMQHAZK.exe []
S3 JAIDYEKPQD;JAIDYEKPQD;c:\users\STEPAH~1\AppData\Local\Temp\JAIDYEKPQD.exe []
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-11-28 122008]
S4 SoundMovieServer;SoundMovieServer;"c:\windows\system32\snmvtsvc.exe" [2008-01-19 184320]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-10-11 24652]
S4 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-05-18 229856]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04d919b6-866e-11dc-98c5-0016d4e5f47f}]
\shell\AutoRun\command - F:\Autorun.exe /run
\shell\Shell00\Command - F:\Autorun.exe /run
\shell\Shell01\Command - F:\Autorun.exe /action
\shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77ecce6a-43a4-11dc-a91b-0016d4e5f47f}]
\shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{77ecce6f-43a4-11dc-a91b-0016d4e5f47f}]
\shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef8147a2-4eb4-11dd-9c8f-0016d4e5f47f}]
\shell\AutoRun\command - G:\autorun.exe
\shell\phone\command - G:\autorun.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-10 c:\windows\Tasks\User_Feed_Synchronization-{8BB152DF-5FE8-496F-ADEE-983C90779B0E}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 02:33]
.- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Octoshape Streaming Services - c:\users\stepahnie\AppData\Local\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = about:blank
uSearchURL,(Default) = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\tplayer38.ocx - O16 -: {9CA74596-B5BB-4634-971C-F0224115A15F}
[You must be registered and logged in to see this link.]
FireFox -: Profile - c:\users\stepahnie\AppData\Roaming\Mozilla\Firefox\Profiles\hrrp9dzn.default\
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF -: plugin - c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF -: plugin - c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF -: plugin - c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF -: plugin - c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF -: plugin - c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF -: plugin - c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\users\stepahnie\AppData\Local\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0808270_SUA_900\npoctoshape.dll
FF -: plugin - c:\users\stepahnie\AppData\Local\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-10 21:05:44
Windows 6.0.6001 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-10 21:07:12
ComboFix-quarantined-files.txt 2008-12-11 02:06:57

Pre-Run: 42,702,635,008 bytes free
Post-Run: 42,810,769,408 bytes free

351 --- E O F --- 2008-12-10 08:02:37

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Trojan.ZlobG

Post by decojr on 11th December 2008, 3:38 am

Here is the HIJACK THIS log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:39 PM, on 12/10/2008
Platform: Windows Vista (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {9CA74596-B5BB-4634-971C-F0224115A15F} (tcast control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AMQHAZK - Unknown owner - C:\Users\STEPAH~1\AppData\Local\Temp\AMQHAZK.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: JAIDYEKPQD - Unknown owner - C:\Users\STEPAH~1\AppData\Local\Temp\JAIDYEKPQD.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 6475 bytes

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by Belahzur on 11th December 2008, 4:55 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :services
    AMQHAZK
    JAIDYEKPQD
    Viewpoint Manager Service

    :files
    c:\users\stepahnie\AppData\Roaming\Google\windep.exe
    c:\users\stepahnie\AppData\Roaming\mjusbsp

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smax4v"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04d919b6-866e-11dc-98c5-0016d4e5f47f}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef8147a2-4eb4-11dd-9c8f-0016d4e5f47f}]


    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved OTMoveit3 problem

Post by decojr on 11th December 2008, 5:29 pm

I ran the OT Move it 3

By the time, it go to the Empty folder process. THe Zlob.G pop up popped up again and the program froze up. It says not responding. The page for the program is now blank. I can't even see the results. Should I try running it again?

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by decojr on 11th December 2008, 5:37 pm

Somehow the OT program came back up...and its asking if I want to reboot. I'm going to reboot and see what happens.

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by decojr on 11th December 2008, 5:45 pm

don't see any pop up webpages so far. Here is the log from OTMoveit3:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service AMQHAZK stopped successfully.
Service AMQHAZK deleted successfully.
Service JAIDYEKPQD stopped successfully.
Service JAIDYEKPQD deleted successfully.
Service Viewpoint Manager Service stopped successfully.
Service Viewpoint Manager Service deleted successfully.
========== FILES ==========
c:\users\stepahnie\AppData\Roaming\Google\windep.exe moved successfully.
c:\users\stepahnie\AppData\Roaming\mjusbsp\Upgrade moved successfully.
c:\users\stepahnie\AppData\Roaming\mjusbsp\ug00000 moved successfully.
c:\users\stepahnie\AppData\Roaming\mjusbsp\st00000 moved successfully.
c:\users\stepahnie\AppData\Roaming\mjusbsp\in00000 moved successfully.
c:\users\stepahnie\AppData\Roaming\mjusbsp\ar00001 moved successfully.
c:\users\stepahnie\AppData\Roaming\mjusbsp\ar00000 moved successfully.
c:\users\stepahnie\AppData\Roaming\mjusbsp moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Smax4v deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{04d919b6-866e-11dc-98c5-0016d4e5f47f}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef8147a2-4eb4-11dd-9c8f-0016d4e5f47f}\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\Users\STEPAH~1\AppData\Local\Temp\~DFF58.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\STEPAH~1\AppData\Local\Temp\~DFF5F7.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\ZLT0579e.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_122439

Files moved on Reboot...
C:\Users\STEPAH~1\AppData\Local\Temp\~DFF58.tmp moved successfully.
C:\Users\STEPAH~1\AppData\Local\Temp\~DFF5F7.tmp moved successfully.
File C:\Windows\temp\ZLT0579e.TMP not found!

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by Belahzur on 11th December 2008, 5:54 pm

Hello.
The alerts should have stopped now.
What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by decojr on 11th December 2008, 5:59 pm

Not seeing anymore problems. THANK YOU SO MUCH!!! I read prior posts that suggest updating Java. For some reason when I go to the Install/Uninstall page, i'm not given an option to uninstall, do you know why that is? Do you think I need to update my JAva?

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by Belahzur on 11th December 2008, 6:03 pm

Hello.
Yes, you need to update.
If there is no Java on the uninstall list, skip the uninstall and run JavaRa.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Problem solved!!!

Post by decojr on 11th December 2008, 9:15 pm

THANKS FOR THE HELP!!! I updated JAVA too.

decojr
Novice
Novice

Posts Posts : 11
Joined Joined : 2008-12-11
OS OS : Windows Vista
Points Points : 29200
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by Belahzur on 11th December 2008, 9:30 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.ZlobG

Post by Doctor Inferno on 15th January 2009, 8:24 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104630
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum