Trojan Zlob G

View previous topic View next topic Go down

Solved Trojan Zlob G

Post by Missy E77 on Thu Dec 11, 2008 3:19 pm

I've been looking up on ways to get rid of this trojan manually/without installing more antivirus/malware software.

looking at other threads, I've noticed the same instructions to go into C:\Documents and Settings\{username}\Application Data\Google\

and search out the specified files and remove them. The issue I'm having is, and it may be because I'm lacking sleep over this stupid virus and just can't see it, but I can't seem to find "application data" or "app" after I've accessed the previous folders!

Plz assist in my handicapness because I'm about to destry my laptop. Thank you

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Doctor Inferno on Thu Dec 11, 2008 3:24 pm

Hello, welcome to GeekPolice.

Please read this before we can help you:

[You must be registered and logged in to see this link.]

Post a HijackThis log.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 7:52 pm

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\emMON.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe
C:\Documents and Settings\Owner\Application Data\Twain\Twain.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HelloWorldBHO - {D88E1558-7C2D-407A-953A-C044F5607CEA} - C:\Program Files\Mjcore\Mjcore.dll (file missing)
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [emMON] emMON.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunOnce: [mcupdmgr.exe] c:\PROGRA~1\mcafee.com\agent\mcupdmgr.exe -regserver
O4 - HKLM\..\RunOnce: [mcagent.exe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe -regserver
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Owner\Application Data\Twain\Twain.exe
O4 - HKUS\S-1-5-21-2509414496-1618858112-3922349244-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guestss')
O4 - HKUS\S-1-5-21-2509414496-1618858112-3922349244-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: qtlmpv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9048 bytes

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Belahzur on Sun Dec 14, 2008 7:54 pm

Hello.
Before I can help, the header of your Hijack This log is cut off, please post that bit then I will help.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 7:56 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:30 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal



Sorry, and thanks Smile

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Belahzur on Sun Dec 14, 2008 8:11 pm

Hello.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 8:26 pm

ComboFix 08-12-14.02 - Owner 2008-12-14 15:22:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.138 [GMT -5:00]
Running from: c:\program files\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\gadcom
c:\documents and settings\Owner\Application Data\gadcom\gadcom.exe
c:\documents and settings\Owner\Application Data\gadcom\merman.exe
c:\documents and settings\Owner\Application Data\Google\kjzna1562565.exe
c:\documents and settings\Owner\Application Data\Google\spcffwl.dll
c:\documents and settings\Owner\Application Data\twain\Twain.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\Downloaded Program Files\setup.inf
c:\windows\emMON.exe
c:\windows\system32\ogixohhy.ini
c:\windows\Tasks\vqdiqgts.job
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 15:14 . 2008-12-14 15:14 2,873,218 -ra------ c:\program files\ComboFix.exe
2008-12-14 14:49 . 2008-12-14 14:50 401,720 --a------ c:\program files\Hijack(GP)This.exe
2008-12-14 12:53 . 2008-12-14 12:53 d-------- c:\windows\LastGood
2008-12-12 09:46 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-12 09:32 . 2008-12-12 09:32 d-------- c:\documents and settings\Guestss\Application Data\McAfee
2008-12-12 09:31 . 2005-03-27 01:26 d-------- c:\documents and settings\Guestss\WINDOWS
2008-12-12 09:31 . 2007-11-07 21:53 d-------- c:\documents and settings\Guestss\Application Data\SampleView
2008-12-12 09:31 . 2008-12-12 09:31 d-------- c:\documents and settings\Guestss
2008-12-11 08:49 . 2008-12-12 12:58 31 --a------ c:\documents and settings\Guest\jagex_runescape_preferences.dat
2008-12-11 08:46 . 2005-03-27 01:26 d-------- c:\documents and settings\Guest\WINDOWS
2008-12-11 08:46 . 2007-11-07 21:53 d-------- c:\documents and settings\Guest\Application Data\SampleView
2008-12-11 08:46 . 2008-12-11 08:46 d-------- c:\documents and settings\Guest\Application Data\McAfee
2008-12-11 08:46 . 2008-12-11 08:49 d-------- c:\documents and settings\Guest
2008-12-09 22:44 . 2004-08-04 14:00 94,784 --a------ c:\windows\twain.dll
2008-12-09 22:44 . 2004-08-04 14:00 94,784 --a--c--- c:\windows\system32\dllcache\twain.dll
2008-12-09 00:16 . 2008-12-14 15:23 d-------- c:\documents and settings\Owner\Application Data\Twain
2008-12-04 05:33 . 2008-12-04 05:33 d-------- c:\documents and settings\Owner\.jagex_cache_32
2008-11-21 11:44 . 2001-03-18 13:52 766 --------- c:\windows\Uninstall.ico
2008-11-21 11:43 . 2005-12-12 01:56 151,552 --a------ c:\windows\system32\SSCoInst.exe
2008-11-21 11:43 . 2005-12-12 01:56 135,168 --a------ c:\windows\system32\SVSetup.Exe
2008-11-21 11:43 . 2005-12-12 01:57 57,344 --a------ c:\windows\system32\SSCoInst.dll
2008-11-21 11:43 . 2005-12-12 01:57 53,248 --a------ c:\windows\system32\SVSetup.dll
2008-11-21 11:43 . 2005-10-24 22:54 20,594 --a------ c:\windows\system32\Dels3LMK.DLL
2008-11-21 11:43 . 2005-10-24 22:54 533 --a------ c:\windows\system32\Dels3LMK.SMT
2008-11-21 11:42 . 2008-11-21 11:42 d-------- c:\program files\DELL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 19:50 9,049 ----a-w c:\program files\hijackthis.log
2008-12-14 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-12 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-11 11:49 --------- d-----w c:\program files\BearShare Applications
2008-12-09 18:39 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-11-24 20:17 132 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-11-21 16:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-04-18 01:05 41,334,456 ----a-w c:\program files\logitech.exe
2008-04-14 04:02 41,399,896 ----a-w c:\program files\SmartBOARDsetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-10-04 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-07 98304]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2004-08-17 245760]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2004-10-02 184320]
"_AntiSpyware"="c:\program files\McAfee\McAfee AntiSpyware\MssCli.exe" [2004-11-17 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CleanUp"="c:\progra~1\McAfee.com\Shared\mcappins.exe" [2006-01-23 131072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2007-11-07 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-17 169472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-11-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=qtlmpv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-09 24652]

*Newly Created Service* - MCDETECT.EXE
*Newly Created Service* - MCTSKSHD.EXE
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1\McSpy.exe [2004-11-17 04:00]

2008-12-13 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1 [2007-11-07 21:42]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guest).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guest).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guestss).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guestss).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Owner).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (YOUR-1AA5A02CD2-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (YOUR-1AA5A02CD2-Owner).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-emMON - emMON.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\setup.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-14 15:24:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(3828)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(224)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-14 15:25:49
ComboFix-quarantined-files.txt 2008-12-14 20:25:06

Pre-Run: 77,023,293,440 bytes free
Post-Run: 77,881,561,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

207 --- E O F --- 2008-12-12 14:36:31

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Belahzur on Sun Dec 14, 2008 8:29 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\qtlmpv.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 8:38 pm

ComboFix 08-12-14.02 - Owner 2008-12-14 15:34:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.140 [GMT -5:00]
Running from: c:\program files\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\qtlmpv.dll
.

((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 15:14 . 2008-12-14 15:14 2,873,218 -ra------ c:\program files\ComboFix.exe
2008-12-14 14:49 . 2008-12-14 14:50 401,720 --a------ c:\program files\Hijack(GP)This.exe
2008-12-14 12:53 . 2008-12-14 12:53 d-------- c:\windows\LastGood
2008-12-12 09:46 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-12 09:32 . 2008-12-12 09:32 d-------- c:\documents and settings\Guestss\Application Data\McAfee
2008-12-12 09:31 . 2005-03-27 01:26 d-------- c:\documents and settings\Guestss\WINDOWS
2008-12-12 09:31 . 2007-11-07 21:53 d-------- c:\documents and settings\Guestss\Application Data\SampleView
2008-12-12 09:31 . 2008-12-12 09:31 d-------- c:\documents and settings\Guestss
2008-12-11 08:49 . 2008-12-12 12:58 31 --a------ c:\documents and settings\Guest\jagex_runescape_preferences.dat
2008-12-11 08:46 . 2005-03-27 01:26 d-------- c:\documents and settings\Guest\WINDOWS
2008-12-11 08:46 . 2007-11-07 21:53 d-------- c:\documents and settings\Guest\Application Data\SampleView
2008-12-11 08:46 . 2008-12-11 08:46 d-------- c:\documents and settings\Guest\Application Data\McAfee
2008-12-11 08:46 . 2008-12-11 08:49 d-------- c:\documents and settings\Guest
2008-12-09 22:44 . 2004-08-04 14:00 94,784 --a------ c:\windows\twain.dll
2008-12-09 22:44 . 2004-08-04 14:00 94,784 --a--c--- c:\windows\system32\dllcache\twain.dll
2008-12-09 00:16 . 2008-12-14 15:23 d-------- c:\documents and settings\Owner\Application Data\Twain
2008-12-04 05:33 . 2008-12-04 05:33 d-------- c:\documents and settings\Owner\.jagex_cache_32
2008-11-21 11:44 . 2001-03-18 13:52 766 --------- c:\windows\Uninstall.ico
2008-11-21 11:43 . 2005-12-12 01:56 151,552 --a------ c:\windows\system32\SSCoInst.exe
2008-11-21 11:43 . 2005-12-12 01:56 135,168 --a------ c:\windows\system32\SVSetup.Exe
2008-11-21 11:43 . 2005-12-12 01:57 57,344 --a------ c:\windows\system32\SSCoInst.dll
2008-11-21 11:43 . 2005-12-12 01:57 53,248 --a------ c:\windows\system32\SVSetup.dll
2008-11-21 11:43 . 2005-10-24 22:54 20,594 --a------ c:\windows\system32\Dels3LMK.DLL
2008-11-21 11:43 . 2005-10-24 22:54 533 --a------ c:\windows\system32\Dels3LMK.SMT
2008-11-21 11:42 . 2008-11-21 11:42 d-------- c:\program files\DELL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-14 19:50 9,049 ----a-w c:\program files\hijackthis.log
2008-12-14 19:32 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-12 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2008-12-11 11:49 --------- d-----w c:\program files\BearShare Applications
2008-12-09 18:39 31 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-11-24 20:17 132 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-11-21 16:44 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-04-18 01:05 41,334,456 ----a-w c:\program files\logitech.exe
2008-04-14 04:02 41,399,896 ----a-w c:\program files\SmartBOARDsetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2007-10-04 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-07 98304]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2004-08-17 245760]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2004-10-02 184320]
"_AntiSpyware"="c:\program files\McAfee\McAfee AntiSpyware\MssCli.exe" [2004-11-17 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CleanUp"="c:\progra~1\McAfee.com\Shared\mcappins.exe" [2006-01-23 131072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2007-11-07 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-04-17 169472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-11-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-09 24652]

*Newly Created Service* - CATCHME
*Newly Created Service* - MCDETECT.EXE
*Newly Created Service* - MCTSKSHD.EXE
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1\McSpy.exe [2004-11-17 04:00]

2008-12-13 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1 [2007-11-07 21:42]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guest).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guest).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guestss).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Guestss).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (TANITHLAPTOP-Owner).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (YOUR-1AA5A02CD2-Owner).job
- c:\progra~1\mcafee.com\agent\mcupdate.exe [2004-10-02 19:34]

2008-12-14 c:\windows\Tasks\McAfee.com Update Check (YOUR-1AA5A02CD2-Owner).job
- c:\progra~1\mcafee.com\agent [2008-12-14 12:53]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\setup.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-14 15:35:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(3828)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(224)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-14 15:36:44
ComboFix-quarantined-files.txt 2008-12-14 20:36:09
ComboFix2.txt 2008-12-14 20:25:50

Pre-Run: 77,880,438,784 bytes free
Post-Run: 77,867,884,544 bytes free

183 --- E O F --- 2008-12-12 14:36:31

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Belahzur on Sun Dec 14, 2008 8:44 pm

Looks good now, what problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 8:46 pm

lol oh wow, i guess none Smile thanks so much... everything seems normal, for now at least

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 8:47 pm

p.s...you're my lifesaver Big Grin lol thxx <333

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 8:51 pm

one more thing though...can I delete/get rid of combofix?

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Belahzur on Sun Dec 14, 2008 8:53 pm

Yep.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Missy E77 on Sun Dec 14, 2008 9:24 pm

Once I double-click: jre-6u11-windows-i586-p.exe to install it, the downloading status was "Download failed. Maximum retries exceeded. See Help for more info. [3]

I don't know why it won't install, but going back to the steps where i was supposed to remove older java versions, did that include:
Java (TM) 6 update 2
Java (TM) 6 update 7

If so, I haven't removed those, I only removed:
J2SE Runtime Environment 5.0 Update 2

Missy E77
Intermediate
Intermediate

Posts Posts : 65
Joined Joined : 2008-12-11
OS OS : Windows XP
Points Points : 29178
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Belahzur on Sun Dec 14, 2008 10:06 pm

Hello.
The download from Java website may have been changed, they have had website trouble a few weeks ago, try again later.

Yes, remove all older versions including these two:
Java (TM) 6 update 2
Java (TM) 6 update 7


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trojan Zlob G

Post by Doctor Inferno on Sat Jan 17, 2009 10:31 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104584
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum