Excessive activity after Trojan Zlob.G removal

View previous topic View next topic Go down

Solved Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 6:11 pm

Hi,

I am experiencing a huge activity by the two processes

ZCfgSvc.exe
iFrmewrk.exe

This happened after the removal of the Trojan Zlob.G performed yesterday with your support.
Do you have any idea about this issue?

Pietro Centoletti

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Belahzur on Thu Dec 11, 2008 6:18 pm

Please post a new Hijack This.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 6:29 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.29.10, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programmi\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080529-0018\soffice.exe
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\tmp\HiJack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Programmi\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SODCPreLoad] C:\Programmi\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080529-0018\preload.exe C:\Programmi\IBM\Lotus\Symphony\data\.sodc\
O4 - HKLM\..\Run: [TradeManager] C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager -hideframe
O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Programmi\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &MSN Search - [You must be registered and logged in to see this link.] Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - [You must be registered and logged in to see this link.] Toolbar Suite\it-it\msntabres.dll.mui/230?f50c01e484784d0cb9f752d118c384fd
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - [You must be registered and logged in to see this link.] Toolbar Suite\it-it\msntabres.dll.mui/229?f50c01e484784d0cb9f752d118c384fd
O8 - Extra context menu item: E&sporta in Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{56E97172-F53E-4B5B-9397-5DD9C9613F4C}: NameServer = 151.99.125.1,151.99.0.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2976041-F1D1-4C9D-8248-EE30BC6DC966}: NameServer = 151.99.125.1,151.99.0.100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programmi\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9738 bytes

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Belahzur on Thu Dec 11, 2008 6:39 pm

Lets see what CF has to say.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 6:52 pm

ComboFix 08-12-09.03 - Pietro Centoletti 2008-12-11 19.49.33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1357 [GMT 1:00]
Eseguito da: c:\tmp\ComboFix.exe
.

((((((((((((((((((((((((( Files Creati Da 2008-11-11 al 2008-12-11 )))))))))))))))))))))))))))))))))))
.

2008-12-10 23:40 . 2008-12-10 23:40 d-------- c:\programmi\Java
2008-12-10 23:40 . 2008-12-10 23:40 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-10 23:40 . 2008-12-10 23:40 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-10 22:49 . 2008-12-10 22:49 d-------- C:\_OTMoveIt
2008-12-10 20:52 . 2008-12-10 20:52 1,152 --a------ c:\windows\system32\windrv.sys
2008-12-10 18:22 . 2008-12-10 19:30 d-a------ c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-12-10 16:49 . 2008-12-10 16:49 d-------- c:\programmi\Enigma Software Group
2008-12-10 16:10 . 2008-12-10 16:48 d-------- c:\documents and settings\Pietro Centoletti\Dati applicazioni\SUPERAntiSpyware.com
2008-12-10 16:10 . 2008-12-10 16:10 d-------- c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-11-23 11:46 . 2008-11-23 11:47 d-------- C:\Misc
2008-11-12 07:07 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 07:06 . 2008-09-04 18:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 14:02 51,716 ----a-w c:\windows\system32\pdf995mon.dll
2008-12-11 14:02 249,856 ----a-w c:\windows\system32\pdfmona.dll
2008-12-11 08:49 --------- d-----w c:\programmi\Mozilla Thunderbird
2008-12-10 19:16 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\Skype
2008-12-10 17:05 --------- d-----w c:\programmi\InterVideo
2008-12-10 17:04 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\skypePM
2008-12-10 15:48 --------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2008-12-05 11:43 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\pdf995
2008-11-13 12:36 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\FileZilla
2008-11-12 07:55 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\AdobeUM
2008-11-12 07:49 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-12 07:49 --------- d-----w c:\programmi\File comuni\InterVideo
2008-11-06 07:32 90,632 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-11-05 13:05 --------- d-----w c:\documents and settings\Pietro Centoletti\Dati applicazioni\InterVideo
2008-10-30 06:40 98,440 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:35 8,552 ----a-w c:\windows\system32\drivers\asctrm.sys
2008-10-23 10:14 --------- d-----w c:\programmi\Skype
2008-10-23 07:39 --------- d-----w c:\programmi\File comuni\Real
2008-10-23 07:16 --------- d-----w c:\programmi\Alibaba
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:24 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-07-22 07:27 608 --sha-w c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.],79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-17 06:11:46 124,520 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-10 22:38:03 124,520 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2005-11-10 09:27:06 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-12-10 22:40:06 144,792 ----a-w c:\windows\system32\java.exe
- 2005-11-10 09:27:16 49,250 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-10 22:40:06 144,792 ----a-w c:\windows\system32\javaw.exe
- 2005-11-10 11:03:54 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-10 22:40:06 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-10 19:16:53 9,264 ----a-w c:\windows\system32\msqtvcap.dat
+ 2008-12-11 17:31:35 9,264 ----a-w c:\windows\system32\msqtvcap.dat
- 2008-07-10 16:41:52 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ps5ui.dll
+ 2008-12-11 14:02:20 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ps5ui.dll
- 2008-07-10 16:41:52 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ui5.DLL
+ 2008-12-11 14:02:20 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pdf995ui5.DLL
- 2008-07-10 16:41:52 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pscript5-32.dll
+ 2008-12-11 14:02:20 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\3\pscript5-32.dll
- 2008-07-10 16:41:52 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ps5ui.dll
+ 2008-12-11 14:02:20 135,248 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ps5ui.dll
- 2008-07-10 16:41:50 218,816 ----a-w c:\windows\system32\spool\drivers\w32x86\Pdf995ui.dll
+ 2008-12-11 14:02:17 218,816 ----a-w c:\windows\system32\spool\drivers\w32x86\Pdf995ui.dll
- 2008-07-10 16:41:52 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ui5.DLL
+ 2008-12-11 14:02:20 15,872 ----a-w c:\windows\system32\spool\drivers\w32x86\pdf995ui5.DLL
- 2008-07-10 16:41:50 225,648 ----a-w c:\windows\system32\spool\drivers\w32x86\Pscript.dll
+ 2008-12-11 14:02:17 225,648 ----a-w c:\windows\system32\spool\drivers\w32x86\Pscript.dll
- 2008-07-10 16:41:52 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\pscript5-32.dll
+ 2008-12-11 14:02:20 470,608 ----a-w c:\windows\system32\spool\drivers\w32x86\pscript5-32.dll
+ 2008-12-11 17:30:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_278.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"TOSCDSPD"="c:\programmi\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 65536]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-06-03 21718312]
"updateMgr"="c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TradeManager"="c:\progra~1\Alibaba\TRADEM~1\TradeManager -hideframe" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"THotkey"="c:\programmi\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"Tvs"="c:\programmi\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\programmi\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"SODCPreLoad"="c:\programmi\IBM\Lotus\Symphony\framework\shared\eclipse\plugins\com.ibm.productivity.tools.base.app.win32_3.0.1.20080529-0018\preload.exe" [2008-07-09 40960]
"RealTray"="c:\programmi\Real\RealPlayer\RealPlay.exe" [2008-10-23 26112]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-12-10 136600]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 c:\windows\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 c:\windows\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-04 c:\windows\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
InterVideo WinCinema Manager.lnk - c:\programmi\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-09-15 200704]
Windows Desktop Search.lnk - c:\programmi\Windows Desktop Search\WindowsSearch.exe [2006-03-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.jcl.desktop.win32.x86_6.2.0.200805061024\\jre\\bin\\expeditorw.exe"=
"c:\\OrCAD\\OrCAD_10.3i\\tools\\bin\\cdsMsgServer.exe"=
"c:\\OrCAD\\OrCAD_10.3i\\tools\\bin\\cdsNameServer.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys [2008-07-09 12936]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-07-09 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-07-09 90632]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-10-24 874776]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-09 231704]
R3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-09-18 7040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-11 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-08-11 06:29]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\programmi\Uniblue\RegistryBooster\RegistryBooster.exe


.
------- Supplementare di scansione -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &MSN Search - c:\programmi\MSN Toolbar Suite\msntb.dll/search.htm
IE: Apri in nuova scheda in primo piano - c:\programmi\MSN Toolbar Suite\it-it\msntabres.dll.mui/230?f50c01e484784d0cb9f752d118c384fd
IE: Apri in nuova scheda in secondo piano - c:\programmi\MSN Toolbar Suite\it-it\msntabres.dll.mui/229?f50c01e484784d0cb9f752d118c384fd
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {56E97172-F53E-4B5B-9397-5DD9C9613F4C} = 151.99.125.1,151.99.0.100
TCP: {D2976041-F1D1-4C9D-8248-EE30BC6DC966} = 151.99.125.1,151.99.0.100
FireFox -: Profile - c:\documents and settings\Pietro Centoletti\Dati applicazioni\Mozilla\Firefox\Profiles\pduw15ky.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\programmi\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\programmi\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-11 19:50:53
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ASCTRM]
"ImagePath"="\??\c:\windows\system32"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(980)
c:\windows\system32\avgrsstx.dll
.
Ora fine scansione: 2008-12-11 19.51.40
ComboFix-quarantined-files.txt 2008-12-11 18:51:31
ComboFix2.txt 2008-12-10 21:22:16

Pre-Run: 176.410.464.256 byte disponibili
Post-Run: 176,405,286,912 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

210 --- E O F --- 2008-11-12 13:20:10

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 6:57 pm

Now the two processes are not running. Is it helpful for your analysis?

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Belahzur on Thu Dec 11, 2008 7:04 pm

Hello.
Log looks clean.

Delete this folder:
C:\_OTMoveIt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 7:06 pm

OK.

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 7:07 pm

Anything elseto perform?. I would like to reboot the machine to see if all is working fine

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Belahzur on Thu Dec 11, 2008 7:11 pm

Hello.
Is this a different machine from the last thread? CF is showing an old presence of Java on the machine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 7:16 pm

No it is the same. I performed the installation of the JVM as you indicated me yesterday. Anyway after the reboot the twoo processes are running again. They take betwen 48% and 62% of the CPU usage

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Belahzur on Thu Dec 11, 2008 7:17 pm

Hello.
They are (I'm assuming) for your wireless connection.

O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

See the two files names are the one's you are pointing out.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 7:20 pm

Those are the two processes that are consuming my CPU time

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Belahzur on Thu Dec 11, 2008 7:27 pm

Hello.
We can easily kill them at startup, but then your net connection may not work. LOL Banner


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless


  • Press "Fix Checked"
  • Close Hijack This.
  • Reboot your machine and see if your net connection still works.


If net connection doesn't work.


  • Open HijackThis
  • Choose "View list of backups"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless


  • Press "Restore"
  • Close Hijack This.
  • Reboot your machine again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 7:49 pm

Hi,

excuse me for the delay. It did not work. I had to restore the two boxes.
Now I need to stop for two hours. I have a meeting for house problems. Let
us update after or tomorrow.

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by pietro.centoletti on Thu Dec 11, 2008 7:50 pm

After rebooting if I manually stop the two processes allis working. I mean , also the Internet connectivity is up after stopping the two processes

pietro.centoletti
Novice
Novice

Posts Posts : 23
Joined Joined : 2008-12-10
OS OS : Windows XP
Points Points : 29190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Belahzur on Thu Dec 11, 2008 7:55 pm

Good.
Does the machine seem faster now it's stopped eating the processor?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Excessive activity after Trojan Zlob.G removal

Post by Doctor Inferno on Thu Jan 15, 2009 8:25 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum