Trojan.Zlob.G help

View previous topic View next topic Go down

Solved Trojan.Zlob.G help

Post by Freak on Thu Dec 11, 2008 3:24 am

Somehow I got this Trojan today and I can't seem to figure out how to remove it. I ran ComboFix and here is the log report.

ComboFix 08-12-09.03 - HP_Owner 2008-12-10 19:11:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.180 [GMT -8:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\program files\Common Files\crosof~1.net
c:\program files\winupdates
c:\windows\system32\sysogg.dll
c:\windows\WINDOWS
c:\windows\WINDOWS\Vista Dock\Data\General.png
c:\windows\WINDOWS\Vista Dock\Data\Icons.png
c:\windows\WINDOWS\Vista Dock\Data\Position.png
c:\windows\WINDOWS\Vista Dock\Data\Style.png
c:\windows\WINDOWS\Vista Dock\Data\Thumbs.db
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultIcons\Thumbs.db
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultIcons\Unknown.png
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\background.ini
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\bg.png
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\sep.png
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\separator.ini
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\Thumbs.db
c:\windows\WINDOWS\Vista Dock\Docklets\Defaults.ini
c:\windows\WINDOWS\Vista Dock\Icons\Clock.png
c:\windows\WINDOWS\Vista Dock\Icons\Control Panel.png
c:\windows\WINDOWS\Vista Dock\Icons\Folder.png
c:\windows\WINDOWS\Vista Dock\Icons\Internet Shortcut.png
c:\windows\WINDOWS\Vista Dock\Icons\My Computer.png
c:\windows\WINDOWS\Vista Dock\Icons\My Documents.png
c:\windows\WINDOWS\Vista Dock\Icons\My Music.png
c:\windows\WINDOWS\Vista Dock\Icons\My Network Places.png
c:\windows\WINDOWS\Vista Dock\Icons\My Pictures.png
c:\windows\WINDOWS\Vista Dock\Icons\Options.png
c:\windows\WINDOWS\Vista Dock\Icons\Recycle Bin (full).png
c:\windows\WINDOWS\Vista Dock\Icons\Recycle Bin.png
c:\windows\WINDOWS\Vista Dock\Icons\Thumbs.db
c:\windows\WINDOWS\Vista Dock\MouseHook.dll
c:\windows\WINDOWS\Vista Dock\Vista Dock.exe
C:\z.dat
C:\z.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-10 17:47 . 2008-12-10 17:47 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 11:15 . 2008-12-09 15:38 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-03 11:15 . 2008-12-03 11:15 1,409 --a------ c:\windows\QTFont.for
2008-11-11 18:34 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 18:34 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 01:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 09:35 --------- d-----w c:\program files\Winamp
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 07:08 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:48 103,736 ----a-w c:\windows\system32\PnkBstrB.exe
2008-09-22 08:15 25,992 ----a-w c:\windows\system32\pgdfgsvc.exe
2008-09-19 17:02 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-09-16 02:59 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2007-12-18 23:55 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-10-25 19:09 28,672 ----a-w c:\documents and settings\HP_Owner\update.exe
2006-05-13 17:41 46 ----a-w c:\documents and settings\HP_Owner\text.bat
2005-12-27 00:02 268,226 -c--a-w c:\program files\setuplog.txt
2005-10-11 10:34 40 -c--a-w c:\documents and settings\HP_Owner\language.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WinDNS"="c:\documents and settings\HP_Owner\Application Data\Google\lnhul20920683.exe" [2008-12-10 123392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-01 4112384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^RocketDock.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BHR3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 13:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 07:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 15:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-01 22:12 4112384 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 19:43 233472 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 16:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-01 22:12 843776 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"aawservice"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-15 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-15 231704]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\DRIVERS\tj2knd5.sys [2007-10-13 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\DRIVERS\tj2kunic.sys [2007-10-13 69680]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\du0c1sro.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-10 19:16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-10 19:19:04
ComboFix-quarantined-files.txt 2008-12-11 03:18:34

Pre-Run: 34,496,462,848 bytes free
Post-Run: 34,491,625,472 bytes free

192 --- E O F --- 2008-11-14 18:30:02





Thanks for your help!

Freak
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2008-12-11
OS OS : XP
Points Points : 29150
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G help

Post by Belahzur on Thu Dec 11, 2008 4:50 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\documents and settings\HP_Owner\Application Data\Google\lnhul20920683.exe

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinDNS"=-

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G help

Post by Freak on Fri Dec 12, 2008 3:02 am

Thanks for the help. I actually got a program called malwarebytes and it took care of the problem.

Freak
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2008-12-11
OS OS : XP
Points Points : 29150
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan.Zlob.G help

Post by Doctor Inferno on Thu Jan 15, 2009 8:28 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum