WiredWX Hobby Weather ToolsLog in

 


zlob.g trojan

3 posters

descriptionSolvedRe: zlob.g trojan

more_horiz
I haven't tried it out of safe mode - will do so right now and get right back..

thanks

descriptionSolvedRe: zlob.g trojan

more_horiz
Okay. Smile...

descriptionSolvedRe: zlob.g trojan

more_horiz
OMG it's still screwed, the first boot I got a "msconfig has caused a system failure" prompt nad then it shut down, the same thing the second attempt,
on the third attempt a prompt about repair a possible threat file came up and I repaired, then a normal boot up but the phony windows firewall alert came up again, when I try to use Internet Explorer I get a "dangerous browsing" warning and it freezes up....

this is killing me man - please don't give up on it, but I have no browser to communicate with you in "normal" mode.

descriptionSolvedRe: zlob.g trojan

more_horiz
Hello.
Do you have another machine to use?, because it would be a good idea to get this into normal mode, that would be a step in the right direction.

If you can get this machine into safe mode, please run combofix again.

descriptionSolvedRe: zlob.g trojan

more_horiz
it's in safe mode, here's the combofix file, I believe my Outlook email is still working in normal mode, or I can run the utilities in normal mode then go into safe mode to send to you...

ComboFix 08-12-06.04 - Administrator 2008-12-06 19:15:03.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1254 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 14:22 . 2008-12-06 14:22 d-------- c:\program files\Microsoft Windows OneCare Live
2008-12-06 13:33 . 2008-12-06 13:34 78,790,542 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-12-06 09:04 . 2008-12-06 09:05 d-------- c:\documents and settings\Administrator\Application Data\AVG7
2008-11-28 07:42 . 2008-11-28 07:42 d-------- c:\program files\Reality Pump
2008-11-28 07:31 . 2008-12-06 18:05 d-------- c:\program files\Common
2008-11-12 12:55 . 2008-12-05 20:58 43,520 --a------ c:\windows\system32\CmdLineExt03.dll
2008-11-12 12:43 . 2008-11-12 12:43 d-------- C:\Extras
2008-11-12 09:08 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:06 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-08 17:59 . 2008-11-08 17:59 d-------- c:\documents and settings\All Users\Application Data\Age of Empires 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 17:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2008-12-06 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-05 19:18 --------- d-----w c:\program files\Flash Menu Factory
2008-11-12 18:43 --------- d-----w c:\program files\THQ
2008-11-09 04:17 --------- d-----w c:\program files\Java
2008-11-08 23:42 --------- d-----w c:\program files\Microsoft Games
2008-11-07 04:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-04 01:44 --------- d-----w c:\program files\BearShare
2008-11-01 16:09 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-01 16:09 --------- d-----w c:\program files\AVS4YOU
2008-10-29 21:55 --------- d-----w c:\program files\The KMPlayer
2008-10-29 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-12 06:50 --------- d-----w c:\program files\DarkSwords
2008-10-11 23:28 --------- d-----w c:\program files\Eidos Interactive
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2002-07-27 01:02 153,088 ----a-w c:\program files\UNWISE.EXE
2008-05-07 20:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2007-12-17 660136]
"EzPrint"="c:\program files\Lexmark 2600 Series\ezprint.exe" [2007-12-17 107176]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-01-22 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-08 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 22:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-12 08:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-09-21 11:41 1605740 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-02 00:35 49152 c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2005-07-14 23:35 1961984 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 11:22 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 11:22 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2USBDRV]
--a------ 2006-12-19 11:07 38296 c:\windows\MICROI~1\PS2USBKbdDrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-04 19:07 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-03 01:19 77312 c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 11:22 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MSIServer"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"MDM"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"Fax"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\ws_ftp95.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\EA Games\\The Battle for Middle-earth (tm)\\game.dat"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdntime.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnjswx.exe"=
"c:\\Program Files\\Adobe\\Photoshop CS\\Photoshop.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdnwbgw.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds.exe"=
"c:\\Program Files\\Reality Pump\\Two Worlds\\TwoWorlds_RADEON.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 3\\Dreamweaver.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\SWGB\\Game\\Battlegrounds.exe"=

S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service []
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe [2008-07-08 98984]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2005-12-23 100480]
S3 Vob621kdiaf;Vob621kdiaf;c:\windows\system32\drivers\ati1tuxx.sys [2008-05-07 36463]
.
Contents of the 'Scheduled Tasks' folder

2008-12-06 c:\windows\Tasks\SyncBack Downloads.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]

2008-12-06 c:\windows\Tasks\SyncBack Music.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]

2008-12-06 c:\windows\Tasks\SyncBack ROUTINESYNC.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]

2008-12-06 c:\windows\Tasks\SyncBack Videos.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-08-12 11:00]

2008-12-06 c:\windows\Tasks\User_Feed_Synchronization-{3A60586B-A6B1-4783-A820-BA54CBAA296E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 19:18:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-06 19:20:35
ComboFix-quarantined-files.txt 2008-12-07 01:19:19
ComboFix2.txt 2008-12-07 00:28:37
ComboFix3.txt 2008-12-07 00:09:51

Pre-Run: 125,767,458,816 bytes free
Post-Run: 125,757,566,976 bytes free

204 --- E O F --- 2008-11-12 15:13:18

descriptionSolvedRe: zlob.g trojan

more_horiz
Hmm, lets see what this shows.

Now open a new notepad file.
Input this into the notepad file:

@echo off
dir "c:\documents and settings\Administrator\Application Data\Google" > log.txt
start notepad log.txt


Save this as look.bat, save it to your desktop.
Double click look.bat and the black cmd window will open and close, this is normal.
Post the log back here.

descriptionSolvedRe: zlob.g trojan

more_horiz
here it is:

Volume in drive C is HP_Pavilion
Volume Serial Number is 0C82-8DF6

Directory of c:\documents and settings\Administrator\Application Data

descriptionSolvedRe: zlob.g trojan

more_horiz
the black command window didn't pop up

descriptionSolvedRe: zlob.g trojan

more_horiz
Why does this work for me, but never anyone else?


    To Unhide Files and folders:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.

    Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Show hidden files and folders" option.
  • Hit the "Apply To All Folders" option.
  • Click Yes to confirm. Click OK.


What's inside this folder?
c:\documents and settings\Administrator\Application Data\Google
Post back and let me know what .exe or .dll files are present.

descriptionSolvedRe: zlob.g trojan

more_horiz
there is no google folder there, perhaps because I'm in safe mode? I'll do a normal boot and see what is there then and get right back to ya..

descriptionSolvedRe: zlob.g trojan

more_horiz
I'm in normal mode now and still no google folder, but my browser seems to be working now, do you want me to run combofix in normal mode? I'm afraid it's going to start malfunctioning again at any time but will try as long as it lasts

descriptionSolvedRe: zlob.g trojan

more_horiz
No, lets just stay as it is and see what happens.

descriptionSolvedRe: zlob.g trojan

more_horiz
Thank you Belahzur, I hope it lasts, you rock! I'll be in touch if it starts again...

descriptionSolvedRe: zlob.g trojan

more_horiz
Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionSolvedRe: zlob.g trojan

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum