WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Trojan.Zlob.G help

3 posters

descriptionTrojan.Zlob.G help EmptyTrojan.Zlob.G help11th December 2008, 3:24 am

more_horiz
Somehow I got this Trojan today and I can't seem to figure out how to remove it. I ran ComboFix and here is the log report.

ComboFix 08-12-09.03 - HP_Owner 2008-12-10 19:11:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.180 [GMT -8:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\program files\Common Files\crosof~1.net
c:\program files\winupdates
c:\windows\system32\sysogg.dll
c:\windows\WINDOWS
c:\windows\WINDOWS\Vista Dock\Data\General.png
c:\windows\WINDOWS\Vista Dock\Data\Icons.png
c:\windows\WINDOWS\Vista Dock\Data\Position.png
c:\windows\WINDOWS\Vista Dock\Data\Style.png
c:\windows\WINDOWS\Vista Dock\Data\Thumbs.db
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultIcons\Thumbs.db
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultIcons\Unknown.png
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\background.ini
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\bg.png
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\sep.png
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\separator.ini
c:\windows\WINDOWS\Vista Dock\Defaults\DefaultSkin\Thumbs.db
c:\windows\WINDOWS\Vista Dock\Docklets\Defaults.ini
c:\windows\WINDOWS\Vista Dock\Icons\Clock.png
c:\windows\WINDOWS\Vista Dock\Icons\Control Panel.png
c:\windows\WINDOWS\Vista Dock\Icons\Folder.png
c:\windows\WINDOWS\Vista Dock\Icons\Internet Shortcut.png
c:\windows\WINDOWS\Vista Dock\Icons\My Computer.png
c:\windows\WINDOWS\Vista Dock\Icons\My Documents.png
c:\windows\WINDOWS\Vista Dock\Icons\My Music.png
c:\windows\WINDOWS\Vista Dock\Icons\My Network Places.png
c:\windows\WINDOWS\Vista Dock\Icons\My Pictures.png
c:\windows\WINDOWS\Vista Dock\Icons\Options.png
c:\windows\WINDOWS\Vista Dock\Icons\Recycle Bin (full).png
c:\windows\WINDOWS\Vista Dock\Icons\Recycle Bin.png
c:\windows\WINDOWS\Vista Dock\Icons\Thumbs.db
c:\windows\WINDOWS\Vista Dock\MouseHook.dll
c:\windows\WINDOWS\Vista Dock\Vista Dock.exe
C:\z.dat
C:\z.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-10 17:47 . 2008-12-10 17:47 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-03 11:15 . 2008-12-09 15:38 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-03 11:15 . 2008-12-03 11:15 1,409 --a------ c:\windows\QTFont.for
2008-11-11 18:34 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 18:34 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 01:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 09:35 --------- d-----w c:\program files\Winamp
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 07:08 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 03:48 103,736 ----a-w c:\windows\system32\PnkBstrB.exe
2008-09-22 08:15 25,992 ----a-w c:\windows\system32\pgdfgsvc.exe
2008-09-19 17:02 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-09-16 02:59 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2007-12-18 23:55 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-10-25 19:09 28,672 ----a-w c:\documents and settings\HP_Owner\update.exe
2006-05-13 17:41 46 ----a-w c:\documents and settings\HP_Owner\text.bat
2005-12-27 00:02 268,226 -c--a-w c:\program files\setuplog.txt
2005-10-11 10:34 40 -c--a-w c:\documents and settings\HP_Owner\language.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WinDNS"="c:\documents and settings\HP_Owner\Application Data\Google\lnhul20920683.exe" [2008-12-10 123392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-01 4112384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^RocketDock.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BHR3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViOrb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViStart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 13:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 08:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 07:46 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 15:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-07-01 22:12 4112384 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-14 19:43 233472 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 16:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-01 22:12 843776 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"aawservice"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"wuauserv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-09-15 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-09-15 231704]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\DRIVERS\tj2knd5.sys [2007-10-13 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\DRIVERS\tj2kunic.sys [2007-10-13 69680]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mStart Page = hxxp://www.yahoo.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\du0c1sro.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 19:16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-10 19:19:04
ComboFix-quarantined-files.txt 2008-12-11 03:18:34

Pre-Run: 34,496,462,848 bytes free
Post-Run: 34,491,625,472 bytes free

192 --- E O F --- 2008-11-14 18:30:02





Thanks for your help!

descriptionTrojan.Zlob.G help EmptyRe: Trojan.Zlob.G help11th December 2008, 4:50 pm

more_horiz
Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :processes
    explorer.exe

    :files
    c:\documents and settings\HP_Owner\Application Data\Google\lnhul20920683.exe

    :reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinDNS"=-

    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]



  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Trojan.Zlob.G help DXwU4
Trojan.Zlob.G help VvYDg

descriptionTrojan.Zlob.G help EmptyRe: Trojan.Zlob.G help12th December 2008, 3:02 am

more_horiz
Thanks for the help. I actually got a program called malwarebytes and it took care of the problem.

descriptionTrojan.Zlob.G help EmptyRe: Trojan.Zlob.G help15th January 2009, 8:28 am

more_horiz
Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

............................................................................................

Please be a GeekPolice fan on Facebook!

Trojan.Zlob.G help Lambo-11

Have we helped you? Help us! | Doctor by day, ninja by night.

descriptionTrojan.Zlob.G help EmptyRe: Trojan.Zlob.G help

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum