Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

View previous topic View next topic Go down

Solved Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 12th December 2008, 8:28 am

Hi, complete newbie here, running vista, got this "Trojan.Zlob.G" on myspace, it was asking me to update my flash something or other... and I don't think I clicked it, but now I have this stupid trojan... Sad tearing, now my firefox and IE won't open, and windows (Vista) is saying it won't work... Your help would be greatly appreciated Smile Smile __ Needless to say I've since learned that I should have updated my windows long ago... "Du".
I did the Hijack This and this is what I got;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:51 PM, on 12/11/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\kittymade\AppData\Roaming\Google\windep.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [1194862116] C:\PROGRA~1\eGames\PUZZLE~1\Register\EGAMES~1.EXE /r "C:\PROGRA~1\eGames\PUZZLE~1\Register\EGAMES~1.rpd"
O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Users\kittymade\AppData\Local\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Smax4v] "C:\Users\kittymade\AppData\Roaming\Google\windep.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdcCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdcserv.exe
O23 - Service: lxdc_device - - C:\Windows\system32\lxdccoms.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10961 bytes

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 12th December 2008, 5:12 pm

Press Start > Control Panel > open "Add/remove programs"
Allow the list to load and uninstall these items by selecting each one and pressing the "Remove" button to the right.

Any "Mcafee" products



  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor]
    O4 - HKLM\..\Run: [zzz_ImInstaller_IncrediMail] C:\Users\kittymade\AppData\Local\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail
    O4 - HKCU\..\Run: [Smax4v] "C:\Users\kittymade\AppData\Roaming\Google\windep.exe"
    O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - [You must be registered and logged in to see this link.]
    O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.



Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    C:\PROGRAM FILES\MYWEBSEARCH
    C:\Users\kittymade\AppData\Roaming\Google\windep.exe

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 14th December 2008, 9:30 am

Forgive me, but were the instructions above meant for XP?? Please forgive my computer illiteracy, but I have VISTA on my laptop (with the trojan). In VISTA when I open control panel it keeps telling me Windows has stopped working and then tries to restart windows. I CAN get Windows to go to control panel and stay there, but the program removal options look a little different in VISTA, and I want to do EXACTLY as you tell me to do. A friend had me disconnect from the internet with my laptop for safety, so I will reconnect to download when I follow your instructions... (Or I can use this computer and put it on my little sandisk flash drive and plug it into the laptop..?) It's also giving me some application error with numbers... Thank you so much for your reply to this, it is MUCH appreciated Smile

Thank you,
Jax

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 14th December 2008, 1:30 pm

Oh Sorry. Yeah, them instructions are for XP.

But HJT/OTMoveIt will work on Vista without modding the instructions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 15th December 2008, 6:35 am

Ok thank you~ I booted in vista SAFE MODE because my program list was not populating and then did a thorough check down my list of programs, and their was nothing from McAfee at all. I triple checked it and found nothing close to anything from McAfee.... My friend who helped me set up this laptop last year said he thought he remembered installing McAfee though, so I don't understand. But I couldn't find it anywhere... I hope there is still hope? Sad tearing Thanks so much for your time and help with this,
Jax

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 15th December 2008, 2:01 pm

Hello.
Probably just a leftover folder. Did you run OTMoveIt?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 18th December 2008, 9:18 am

Ok Thank you~~ I did the Hijack this, and a message came up warning me that HijackThis might not work, but I did it anyway, and all the text lines were there to fix but this one (below);

O4 - HKCU\..\Run: [Smax4v] "C:\Users\kittymade\AppData\Roaming\Google\windep.exe"

(Note; Also, my Windows kept trying to do updates, even though I was offline, I kept disabling the internet, don't know if this makes a difference, my computer friend said I should have been doing updates all along, ok I know "Du", THANK you for your help, hopefully my computer is not unfixable...)

SO~ Then I did the Moveit and these were my log results;


========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: :files
Unable to kill process: C:\PROGRAM FILES\MYWEBSEARCH
Unable to kill process: C:\Users\kittymade\AppData\Roaming\Google\windep.exe
Unable to kill process: :commands
Unable to kill process: [purity]
Unable to kill process: [emptytemp]
Unable to kill process: [start explorer]
Unable to kill process: [reboot]

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12182008_010339

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 18th December 2008, 4:53 pm

Hello.
Looks like OTMoveIt didn't work right, maybe the malware interfered.

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 19th December 2008, 9:11 am

I don't think it ever asked me to install the recovery console....??
Here is the Combofix log;

ComboFix 08-12-18.01 - kittymade 2008-12-19 0:15:43.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.2038.1384 [GMT -8:00]
Running from: G:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\kittymade\AppData\Roaming\Google\dplsmjk.dll
.
---- Previous Run -------
.
c:\users\kittymade\AppData\Roaming\Google\dplsmjk.dll
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-18 03:00 . 2008-12-11 17:53 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-18 00:58 . 2008-12-18 00:58 d-------- C:\_OTMoveIt
2008-12-18 00:13 . 2008-10-21 15:31 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-14 01:18 . 2008-10-31 15:38 4,247,552 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-14 01:18 . 2008-10-28 22:20 2,923,520 --a------ c:\windows\explorer.exe
2008-12-14 01:18 . 2008-10-31 19:33 1,687,040 --a------ c:\windows\System32\gameux.dll
2008-12-14 01:18 . 2008-10-20 21:16 297,472 --a------ c:\windows\System32\gdi32.dll
2008-12-14 01:18 . 2008-10-31 19:33 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-14 01:18 . 2008-10-15 20:40 26,624 --a------ c:\windows\System32\ieUnatt.exe
2008-12-14 01:17 . 2008-06-22 17:52 2,855,424 --a------ c:\windows\System32\mf.dll
2008-12-14 01:17 . 2008-06-22 17:52 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-14 01:17 . 2008-06-22 17:52 98,816 --a------ c:\windows\System32\mfps.dll
2008-12-14 01:17 . 2008-06-22 17:52 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-14 01:17 . 2008-06-22 17:52 52,736 --a------ c:\windows\System32\rrinstaller.exe
2008-12-14 01:17 . 2008-06-22 17:52 24,576 --a------ c:\windows\System32\mfpmp.exe
2008-12-14 01:17 . 2008-06-22 14:34 2,048 --a------ c:\windows\System32\mferror.dll
2008-12-11 22:30 . 2008-12-18 01:05 d-------- c:\users\kittymade\AppData\Roaming\U3
2008-12-09 20:10 . 2008-12-09 20:10 d-------- c:\program files\Trend Micro
2008-12-08 02:51 . 2008-12-08 02:52 d-------- c:\users\All Users\Lavasoft
2008-12-08 02:51 . 2008-12-08 02:52 d-------- c:\programdata\Lavasoft
2008-12-08 02:51 . 2008-12-08 02:51 d-------- c:\program files\Lavasoft
2008-12-08 00:31 . 2008-07-19 07:36 51,280 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2008-12-07 18:12 . 2008-12-07 18:12 d-------- c:\program files\Alwil Software
2008-11-25 17:29 . 2008-10-20 21:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 17:29 . 2008-08-27 19:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 17:29 . 2008-08-27 19:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 17:29 . 2008-08-27 19:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 17:29 . 2008-10-21 19:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 17:29 . 2008-10-21 19:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-25 17:29 . 2008-10-21 19:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-24 22:57 . 2008-11-24 23:27 d-------- c:\users\kittymade\AppData\Roaming\SecondLife
2008-11-20 10:54 . 2008-10-16 13:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-20 10:54 . 2008-10-16 12:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-20 10:54 . 2008-10-16 13:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-20 10:54 . 2008-10-16 13:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-20 10:53 . 2008-10-16 13:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-20 10:53 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-20 10:53 . 2008-10-16 12:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-20 10:53 . 2008-10-16 13:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-20 10:53 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 08:54 174 --sha-w c:\program files\desktop.ini
2008-12-18 08:52 --------- d-----w c:\program files\Windows Mail
2008-12-15 06:18 --------- d-----w c:\program files\Full Tilt Poker
2008-12-15 06:17 --------- d-----w c:\programdata\PopCap Games
2008-12-15 06:16 --------- d-----w c:\program files\Word Whomp To Go
2008-12-15 06:16 --------- d-----w c:\program files\Shockwave.com
2008-12-15 06:16 --------- d-----w c:\program files\eGames
2008-12-15 06:14 --------- d-----w c:\program files\Oberon Media
2008-12-15 06:10 --------- d-----w c:\program files\IncrediMail
2008-12-15 06:05 --------- d-----w c:\program files\Chuzzle Deluxe
2008-12-15 06:02 --------- d-----w c:\program files\Bejeweled 2 Deluxe
2008-12-08 12:43 --------- d-----w c:\program files\MSN Messenger
2008-12-08 10:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\CyberLink
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\Corel
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\Canon
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\Apple Computer
2008-11-18 20:11 --------- d-----w c:\program files\Lx_cats
2008-11-01 03:33 537,600 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:33 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:33 449,536 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:33 2,144,256 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:33 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-31 23:23 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-10-31 21:36 --------- d-----w c:\users\kittymade\AppData\Roaming\Lexmark Productivity Studio
2008-10-31 21:24 --------- d-----w c:\program files\Lexmark 1300 Series
2008-10-31 21:23 --------- d-----w c:\program files\Lexmark Toolbar
2008-10-28 08:18 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-14 17:07 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-14 17:07 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-14 17:07 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-14 17:07 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-14 17:07 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-06-18 22:40 24 --sh--r c:\windows\System32\8GVUZZR81K.sys
.

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 19th December 2008, 9:14 am

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-19 07:12:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-19 08:18:35 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-19 07:12:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-19 08:18:35 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-19 07:13:12 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-12-19 08:20:57 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-12-19 07:15:10 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-12-19 08:20:57 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-12-19 07:13:41 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-19 08:18:54 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-19 07:13:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-19 08:18:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-19 07:13:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-19 08:18:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-19 07:14:37 15,022 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2567293334-2876055130-1570543203-1000_UserData.bin
+ 2008-12-19 08:22:17 15,360 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2567293334-2876055130-1570543203-1000_UserData.bin
- 2008-12-19 07:14:37 71,220 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-19 08:22:17 72,164 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-18 09:03:17 52,048 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-19 08:22:11 52,240 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-12-19 06:56:19 332,862 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2008-12-19 07:57:59 336,460 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Smax4v"="c:\users\kittymade\AppData\Roaming\Google\windep.exe" [2008-12-06 128000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-15 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-15 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-15 81920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-27 1540096]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\PhotoDownloader.exe" [BU]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-10-13 184320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [BU]
"My Web Search Bar Search Scope Monitor"="c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [BU]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"1194862116"="c:\progra~1\eGames\PUZZLE~1\Register\EGAMES~1.EXE" [BU]
"zzz_ImInstaller_IncrediMail"="c:\users\kittymade\AppData\Local\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" [BU]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"lxdcmon.exe"="c:\program files\Lexmark 1300 Series\lxdcmon.exe" [BU]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-07 c:\windows\sttray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-04-17 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
QuickSet.lnk - c:\windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-04-17 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-04-17 05:22 240640 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 19th December 2008, 9:15 am

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{554EFDF6-BE6B-44DB-9495-E83572DCADC3}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{0732AC98-EA12-4B40-986F-1713CBA69850}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B18F8F60-CC20-455D-AD16-83CA4132B395}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{70F30BDA-264D-4AEB-922B-8EA9C614D2F4}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{245FD928-5DF5-46CC-BD29-C9D0DEE702F8}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{652D8E6B-B5F9-4213-AA96-96660B1B4341}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{D710E472-BB83-46CA-BE38-4164C13F9061}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{6B149586-CD20-412D-8176-6BE29575C6BF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{4BDB88C1-CC39-4A1A-A464-C1E5E61BE6E1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A58B66D9-B781-4E82-9063-F2B99622F02A}"= Disabled:UDP:c:\users\kittymade\Desktop\incredimail_install.exe:IncrediMail Installer
"{41242F3F-2E83-43B0-B7DC-77E5CA8ED064}"= Disabled:TCP:c:\users\kittymade\Desktop\incredimail_install.exe:IncrediMail Installer
"{36C64B40-7692-4CE4-91A8-B7E496AC649A}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{C50D641F-E175-42F5-AAB9-3C81DF9C1133}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{59C2D1E8-3D9C-4BDC-A3F6-746365FEF51D}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{25767E3B-1D12-49A4-AF4F-88CF90795672}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{0DF0470D-2428-454D-8946-16F6DA5E4457}"= Disabled:UDP:c:\users\kittymade\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQ37VM8J\incredimail_install[1].exe:IncrediMail Installer
"{910BB33E-B5FC-43F4-A3D8-C4D075108CE7}"= Disabled:TCP:c:\users\kittymade\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQ37VM8J\incredimail_install[1].exe:IncrediMail Installer
"{F369CEB5-AB2C-4DD0-AB83-1528DF60114D}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{B67A1E35-7501-469F-B5E4-711EFA00F432}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{E93FE60F-A1F7-4B48-9DBC-4BB37629D088}"= UDP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{952E9A51-208A-47B8-AFFB-CE2B0AC2AD0C}"= TCP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{00028FFF-3C7D-401B-85F2-13FB339C1C10}"= UDP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{679FF4D7-9D66-46D2-AD2B-3113A880ABEF}"= TCP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{D39CD5D2-DF9F-463B-9E54-7366E21F82AB}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{0A5444A4-FE9F-4F0F-914E-59ADBC433180}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{4567B232-3FD0-478F-B9C3-ED0A9159C895}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{69E1EA6E-452A-4E73-9401-A5114CA4A411}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{5D6A4DE8-C2F0-44B7-B9A2-810244CC1D93}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{462FCB56-939D-49E8-BD71-F884F33CBA74}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{B3956FD2-250A-4DFE-B310-87EE7B5155BC}"= UDP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{5848373D-E61F-44DA-B79D-B6CFDD9D51C5}"= TCP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{ED523434-C084-4746-87FE-E4EDDA12CF35}"= Disabled:UDP:135:TCP Port 135
"{4ED3D300-167C-4B0B-82F3-5C1791CA8DC8}"= Disabled:UDP:5000:TCP Port 5000
"{0874ED45-0547-4AD2-B7E5-3213112EC554}"= Disabled:UDP:5001:TCP Port 5001
"{A3FCC4A3-2FF1-44AE-A6EF-C7A0F8E6DA75}"= Disabled:UDP:5002:TCP Port 5002
"{C6E36C39-2EF0-41E0-8910-BB3DDF51248A}"= Disabled:UDP:5003:TCP Port 5003
"{0449130A-96A5-451F-B705-7A9989434404}"= Disabled:UDP:5004:TCP Port 5004
"{A3555619-C674-4D48-9532-522BB1966D36}"= Disabled:UDP:5005:TCP Port 5005
"{2F921D2B-F2A9-4F1B-B719-5BE53B4D5DA0}"= Disabled:UDP:5006:TCP Port 5006
"{D23FD23B-E0F1-4638-9FE0-93863DF504CB}"= Disabled:UDP:5007:TCP Port 5007
"{15B1BC50-6E8F-4EC0-84DF-1B7424118A40}"= Disabled:UDP:5008:TCP Port 5008
"{5EBC7566-EBFA-427A-919C-A7F729E73017}"= Disabled:UDP:5009:TCP Port 5009
"{5CB9CEF1-C7E0-43B9-AA5C-6E094811F2E2}"= Disabled:UDP:5010:TCP Port 5010
"{E58C6288-E0CA-44A9-9D26-8B61AC063C42}"= Disabled:UDP:5011:TCP Port 5011
"{B9995882-521C-4845-8EA1-0BC4EEE9843A}"= Disabled:UDP:5012:TCP Port 5012
"{DB1931CE-6A30-4B8C-A729-8E2D98D1DC8A}"= Disabled:UDP:5013:TCP Port 5013
"{50BCF826-E4A1-4FE8-84FA-B34F3536BB8D}"= Disabled:UDP:5014:TCP Port 5014
"{E19FDAEB-D3D6-4419-BF1C-5A0C870FF978}"= Disabled:UDP:5015:TCP Port 5015
"{A6557DE6-987C-4D9D-A4CD-25905BE8C10A}"= Disabled:UDP:5016:TCP Port 5016
"{64706EE1-FE94-4959-9986-43C00E3DCC0C}"= Disabled:UDP:5017:TCP Port 5017
"{2FEE2722-AC33-4443-B181-FCC55D6B694C}"= Disabled:UDP:5018:TCP Port 5018
"{5576A9C6-9B5B-4724-98DC-DFB522E23091}"= Disabled:UDP:5019:TCP Port 5019
"{3DBC401E-6572-44F9-95ED-B65348DCC5F0}"= Disabled:UDP:5020:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-08 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-08 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-12-08 51280]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service []
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-05-25 99248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2008-11-24 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 01:45]

2008-12-19 c:\windows\Tasks\User_Feed_Synchronization-{198E464D-2001-4E15-B00E-473EF0ACCD1C}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 01:45]

2008-12-18 c:\windows\Tasks\User_Feed_Synchronization-{B21CF31B-6EBD-4577-A1E2-025EC75D939E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 01:45]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-19 00:21:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\System32\lxdccoms.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-19 0:37:26 - machine was rebooted [kittymade]
ComboFix-quarantined-files.txt 2008-12-19 08:37:14

Pre-Run: 7,376,203,776 bytes free
Post-Run: 7,260,291,072 bytes free

289 --- E O F --- 2008-12-18 11:01:27

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 19th December 2008, 9:16 am

I hope I did that right, it was a long log... ~ (Thanks again so very much for your time and help Smile )~

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 19th December 2008, 9:25 am

Now open a new notepad file.
Input this into the notepad file:

File::
c:\users\kittymade\AppData\Roaming\Google\windep.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smax4v"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"My Web Search Bar Search Scope Monitor"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 23rd December 2008, 3:42 am

ComboFix 08-12-18.01 - kittymade 2008-12-22 19:20:50.3 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.2038.1007 [GMT -8:00]
Running from: G:\ComboFix.exe
Command switches used :: c:\users\kittymade\Desktop\CFscript - Shortcut.lnk
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 )))))))))))))))))))))))))))))))
.

2008-12-18 03:00 . 2008-12-11 17:53 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-18 00:58 . 2008-12-18 00:58 d-------- C:\_OTMoveIt
2008-12-18 00:13 . 2008-10-21 15:31 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-14 01:18 . 2008-10-31 15:38 4,247,552 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-14 01:18 . 2008-10-28 22:20 2,923,520 --a------ c:\windows\explorer.exe
2008-12-14 01:18 . 2008-10-31 19:33 1,687,040 --a------ c:\windows\System32\gameux.dll
2008-12-14 01:18 . 2008-10-20 21:16 297,472 --a------ c:\windows\System32\gdi32.dll
2008-12-14 01:18 . 2008-10-31 19:33 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-14 01:18 . 2008-10-15 20:40 26,624 --a------ c:\windows\System32\ieUnatt.exe
2008-12-14 01:17 . 2008-06-22 17:52 2,855,424 --a------ c:\windows\System32\mf.dll
2008-12-14 01:17 . 2008-06-22 17:52 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-14 01:17 . 2008-06-22 17:52 98,816 --a------ c:\windows\System32\mfps.dll
2008-12-14 01:17 . 2008-06-22 17:52 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-14 01:17 . 2008-06-22 17:52 52,736 --a------ c:\windows\System32\rrinstaller.exe
2008-12-14 01:17 . 2008-06-22 17:52 24,576 --a------ c:\windows\System32\mfpmp.exe
2008-12-14 01:17 . 2008-06-22 14:34 2,048 --a------ c:\windows\System32\mferror.dll
2008-12-11 22:30 . 2008-12-22 19:15 d-------- c:\users\kittymade\AppData\Roaming\U3
2008-12-09 20:10 . 2008-12-09 20:10 d-------- c:\program files\Trend Micro
2008-12-08 02:51 . 2008-12-08 02:52 d-------- c:\users\All Users\Lavasoft
2008-12-08 02:51 . 2008-12-08 02:52 d-------- c:\programdata\Lavasoft
2008-12-08 02:51 . 2008-12-08 02:51 d-------- c:\program files\Lavasoft
2008-12-08 00:31 . 2008-07-19 07:36 51,280 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2008-12-07 18:12 . 2008-12-07 18:12 d-------- c:\program files\Alwil Software
2008-11-25 17:29 . 2008-10-20 21:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-25 17:29 . 2008-08-27 19:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-25 17:29 . 2008-08-27 19:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-25 17:29 . 2008-08-27 19:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-25 17:29 . 2008-10-21 19:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-25 17:29 . 2008-10-21 19:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-25 17:29 . 2008-10-21 19:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-24 22:57 . 2008-11-24 23:27 d-------- c:\users\kittymade\AppData\Roaming\SecondLife

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 08:54 174 --sha-w c:\program files\desktop.ini
2008-12-18 08:52 --------- d-----w c:\program files\Windows Mail
2008-12-15 06:18 --------- d-----w c:\program files\Full Tilt Poker
2008-12-15 06:17 --------- d-----w c:\programdata\PopCap Games
2008-12-15 06:16 --------- d-----w c:\program files\Word Whomp To Go
2008-12-15 06:16 --------- d-----w c:\program files\Shockwave.com
2008-12-15 06:16 --------- d-----w c:\program files\eGames
2008-12-15 06:14 --------- d-----w c:\program files\Oberon Media
2008-12-15 06:10 --------- d-----w c:\program files\IncrediMail
2008-12-15 06:05 --------- d-----w c:\program files\Chuzzle Deluxe
2008-12-15 06:02 --------- d-----w c:\program files\Bejeweled 2 Deluxe
2008-12-08 12:43 --------- d-----w c:\program files\MSN Messenger
2008-12-08 10:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\CyberLink
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\Corel
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\Canon
2008-12-06 10:42 --------- d-----w c:\users\kittymade\AppData\Roaming\Apple Computer
2008-11-18 20:11 --------- d-----w c:\program files\Lx_cats
2008-11-01 03:33 537,600 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:33 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:33 449,536 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:33 2,144,256 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:33 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-31 23:23 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2008-10-31 21:36 --------- d-----w c:\users\kittymade\AppData\Roaming\Lexmark Productivity Studio
2008-10-31 21:24 --------- d-----w c:\program files\Lexmark 1300 Series
2008-10-31 21:23 --------- d-----w c:\program files\Lexmark Toolbar
2008-10-28 08:18 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-16 22:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 21:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 04:40 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-16 04:40 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-11-14 17:07 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-14 17:07 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-14 17:07 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-14 17:07 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-14 17:07 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-06-18 22:40 24 --sh--r c:\windows\System32\8GVUZZR81K.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-19 07:12:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-12-19 08:18:35 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-12-19 07:12:30 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-12-19 08:18:35 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-12-19 07:13:12 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-12-19 08:20:57 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-12-19 07:15:10 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-12-19 08:22:17 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-12-19 07:13:41 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-19 08:18:54 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-19 07:13:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-19 08:18:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-19 07:13:41 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-19 08:18:54 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-19 07:14:37 15,022 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2567293334-2876055130-1570543203-1000_UserData.bin
+ 2008-12-19 08:22:17 15,360 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2567293334-2876055130-1570543203-1000_UserData.bin
- 2008-12-19 07:14:37 71,220 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-19 08:22:17 72,164 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-18 09:03:17 52,048 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-12-19 08:22:11 52,240 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-12-19 06:56:19 332,862 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2008-12-19 07:57:59 336,460 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2008-12-15 03:42:23 268,286 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-12-23 03:10:43 269,034 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 23rd December 2008, 3:43 am

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Smax4v"="c:\users\kittymade\AppData\Roaming\Google\windep.exe" [2008-12-06 128000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-15 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-15 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-15 81920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-27 1540096]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\PhotoDownloader.exe" [BU]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-10-13 184320]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [BU]
"My Web Search Bar Search Scope Monitor"="c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" [BU]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"1194862116"="c:\progra~1\eGames\PUZZLE~1\Register\EGAMES~1.EXE" [BU]
"zzz_ImInstaller_IncrediMail"="c:\users\kittymade\AppData\Local\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe" [BU]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"lxdcmon.exe"="c:\program files\Lexmark 1300 Series\lxdcmon.exe" [BU]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-07 c:\windows\sttray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-04-17 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
QuickSet.lnk - c:\windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-04-17 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2007-04-17 05:22 240640 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{554EFDF6-BE6B-44DB-9495-E83572DCADC3}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{0732AC98-EA12-4B40-986F-1713CBA69850}"= TCP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{B18F8F60-CC20-455D-AD16-83CA4132B395}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{70F30BDA-264D-4AEB-922B-8EA9C614D2F4}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{245FD928-5DF5-46CC-BD29-C9D0DEE702F8}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{652D8E6B-B5F9-4213-AA96-96660B1B4341}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{D710E472-BB83-46CA-BE38-4164C13F9061}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{6B149586-CD20-412D-8176-6BE29575C6BF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{4BDB88C1-CC39-4A1A-A464-C1E5E61BE6E1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A58B66D9-B781-4E82-9063-F2B99622F02A}"= Disabled:UDP:c:\users\kittymade\Desktop\incredimail_install.exe:IncrediMail Installer
"{41242F3F-2E83-43B0-B7DC-77E5CA8ED064}"= Disabled:TCP:c:\users\kittymade\Desktop\incredimail_install.exe:IncrediMail Installer
"{36C64B40-7692-4CE4-91A8-B7E496AC649A}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{C50D641F-E175-42F5-AAB9-3C81DF9C1133}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{59C2D1E8-3D9C-4BDC-A3F6-746365FEF51D}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{25767E3B-1D12-49A4-AF4F-88CF90795672}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{0DF0470D-2428-454D-8946-16F6DA5E4457}"= Disabled:UDP:c:\users\kittymade\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQ37VM8J\incredimail_install[1].exe:IncrediMail Installer
"{910BB33E-B5FC-43F4-A3D8-C4D075108CE7}"= Disabled:TCP:c:\users\kittymade\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQ37VM8J\incredimail_install[1].exe:IncrediMail Installer
"{F369CEB5-AB2C-4DD0-AB83-1528DF60114D}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{B67A1E35-7501-469F-B5E4-711EFA00F432}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{E93FE60F-A1F7-4B48-9DBC-4BB37629D088}"= UDP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{952E9A51-208A-47B8-AFFB-CE2B0AC2AD0C}"= TCP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{00028FFF-3C7D-401B-85F2-13FB339C1C10}"= UDP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{679FF4D7-9D66-46D2-AD2B-3113A880ABEF}"= TCP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{D39CD5D2-DF9F-463B-9E54-7366E21F82AB}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{0A5444A4-FE9F-4F0F-914E-59ADBC433180}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{4567B232-3FD0-478F-B9C3-ED0A9159C895}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{69E1EA6E-452A-4E73-9401-A5114CA4A411}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{5D6A4DE8-C2F0-44B7-B9A2-810244CC1D93}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{462FCB56-939D-49E8-BD71-F884F33CBA74}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{B3956FD2-250A-4DFE-B310-87EE7B5155BC}"= UDP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{5848373D-E61F-44DA-B79D-B6CFDD9D51C5}"= TCP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{ED523434-C084-4746-87FE-E4EDDA12CF35}"= Disabled:UDP:135:TCP Port 135
"{4ED3D300-167C-4B0B-82F3-5C1791CA8DC8}"= Disabled:UDP:5000:TCP Port 5000
"{0874ED45-0547-4AD2-B7E5-3213112EC554}"= Disabled:UDP:5001:TCP Port 5001
"{A3FCC4A3-2FF1-44AE-A6EF-C7A0F8E6DA75}"= Disabled:UDP:5002:TCP Port 5002
"{C6E36C39-2EF0-41E0-8910-BB3DDF51248A}"= Disabled:UDP:5003:TCP Port 5003
"{0449130A-96A5-451F-B705-7A9989434404}"= Disabled:UDP:5004:TCP Port 5004
"{A3555619-C674-4D48-9532-522BB1966D36}"= Disabled:UDP:5005:TCP Port 5005
"{2F921D2B-F2A9-4F1B-B719-5BE53B4D5DA0}"= Disabled:UDP:5006:TCP Port 5006
"{D23FD23B-E0F1-4638-9FE0-93863DF504CB}"= Disabled:UDP:5007:TCP Port 5007
"{15B1BC50-6E8F-4EC0-84DF-1B7424118A40}"= Disabled:UDP:5008:TCP Port 5008
"{5EBC7566-EBFA-427A-919C-A7F729E73017}"= Disabled:UDP:5009:TCP Port 5009
"{5CB9CEF1-C7E0-43B9-AA5C-6E094811F2E2}"= Disabled:UDP:5010:TCP Port 5010
"{E58C6288-E0CA-44A9-9D26-8B61AC063C42}"= Disabled:UDP:5011:TCP Port 5011
"{B9995882-521C-4845-8EA1-0BC4EEE9843A}"= Disabled:UDP:5012:TCP Port 5012
"{DB1931CE-6A30-4B8C-A729-8E2D98D1DC8A}"= Disabled:UDP:5013:TCP Port 5013
"{50BCF826-E4A1-4FE8-84FA-B34F3536BB8D}"= Disabled:UDP:5014:TCP Port 5014
"{E19FDAEB-D3D6-4419-BF1C-5A0C870FF978}"= Disabled:UDP:5015:TCP Port 5015
"{A6557DE6-987C-4D9D-A4CD-25905BE8C10A}"= Disabled:UDP:5016:TCP Port 5016
"{64706EE1-FE94-4959-9986-43C00E3DCC0C}"= Disabled:UDP:5017:TCP Port 5017
"{2FEE2722-AC33-4443-B181-FCC55D6B694C}"= Disabled:UDP:5018:TCP Port 5018
"{5576A9C6-9B5B-4724-98DC-DFB522E23091}"= Disabled:UDP:5019:TCP Port 5019
"{3DBC401E-6572-44F9-95ED-B65348DCC5F0}"= Disabled:UDP:5020:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-08 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-08 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-12-08 51280]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service []
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdcserv.exe [2007-05-25 99248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4c080d0-c814-11dd-ad78-0019b9674b88}]
\shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-24 c:\windows\Tasks\EasyShare Registration Task.job
- c:\windows\system32\rundll32.exe [2006-11-02 01:45]

2008-12-23 c:\windows\Tasks\User_Feed_Synchronization-{198E464D-2001-4E15-B00E-473EF0ACCD1C}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 01:45]

2008-12-23 c:\windows\Tasks\User_Feed_Synchronization-{B21CF31B-6EBD-4577-A1E2-025EC75D939E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 01:45]
.
**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-22 19:22:27
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-22 19:31:38
ComboFix-quarantined-files.txt 2008-12-23 03:31:34
ComboFix2.txt 2008-12-19 08:37:27

Pre-Run: 8,162,287,616 bytes free
Post-Run: 7,921,684,480 bytes free

264 --- E O F --- 2008-12-18 11:01:27

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 23rd December 2008, 2:16 pm

Hello.
You didn't run the script properly, CF says it was run via a .ink file, we need to run it as a .txt file.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    explorer.exe

    :files
    c:\users\kittymade\AppData\Roaming\Google\windep.exe

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smax4v"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "My Web Search Bar Search Scope Monitor"=-

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 29th December 2008, 7:02 am

Help meeeeeeeeeee... Sad tearing (sorry)

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 29th December 2008, 1:08 pm

Please run the OTMoveIt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 30th December 2008, 1:03 pm

Ok, AFTER I did this (Below);
* Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
* Click the red Moveit! button.

AN AVAST WARNING WINDOW OPENED ALMOST IMMEDIATELY AND THIS IS WHAT IT SAID;

"A VIRUS WAS FOUND!"
Malware Name; Windows32 Trojan-Gem/ other
Malware Type; Virus/Worm
Available Action Choices were;
Move/Rename, Delete, Repair, and Move to Chest,

RECOMMENDED ACTION; MOVE TO CHEST"

...So I chose that, "MOVE TO CHEST", and then another Avast window came up and said "THE PROCESS CAN NOT ACCESS THE FILE BECAUSE IT IS BEING USED BY ANOTHER PROCESS"

I closed the WARNING VIRUS window.... Then it rebooted. Upon rebooting I clicked the MoveIt3 on my desktop and here was what the log said;

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\users\kittymade\AppData\Roaming\Google\windep.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Smax4v deleted successfully.
Unable to delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\My Web Search Bar Search Scope Monitor .
========== COMMANDS ==========
File delete failed. C:\Users\KITTYM~1\AppData\Local\Temp\~DFB57C.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\KITTYM~1\AppData\Local\Temp\~DFE634.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12302008_043503

Files moved on Reboot...
C:\Users\KITTYM~1\AppData\Local\Temp\~DFB57C.tmp moved successfully.
File C:\Users\KITTYM~1\AppData\Local\Temp\~DFE634.tmp not found!

____________________________________________

I hope I did this right......? Thank you. Smile

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 30th December 2008, 2:17 pm

Yep.
The virus alerts should of stopped.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Jax on 31st December 2008, 10:19 am

It seems to have worked, no more Trojan Notices. I can't thank you enough for your time and help! Happy New Year! Smile Smile Smile Thank You!

Jax
Novice
Novice

Posts Posts : 13
Joined Joined : 2008-12-12
OS OS : Windows Vista
Points Points : 29180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Belahzur on 31st December 2008, 2:34 pm

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Trpjan.Zlob.G, computer illiterate here, heeeeeelllllllp! :(

Post by Doctor Inferno on 14th February 2009, 4:15 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum