GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


Trojan.Zlob.G

3 posters

descriptionTrojan.Zlob.G EmptyTrojan.Zlob.G7th December 2008, 11:49 am

more_horiz
I appear to be infected with this trojan. My computer seemed to be fine, them it just shut it's self down when I was online, and now this Security Center Alert keeps popping up. Is this a genuine alert or is it part of the trojan?

I have run Kaspersky, and then Super Anti Spyware, and Malware Bytes. None of these picked anything up, which I thought they would. Too I have just run the Windows malicious software removal too. All of these to no avail.

I can't think where this virus/trojan suddenly came from. Each time I connect to the internet, my computer shuts down.
Again on trying to clean up both my computers, my systray has dissapeared, and cant get any icons to re-appear. I have read up on this, and know it's a common problem, but havent found a solution for me.
Is this a result of previous virus/malware infection?

Kind Regards

Dave

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 12:18 pm

more_horiz
Hello, welcome to GeekPolice.

Please read this:

http://www.geekpolice.net/malware-removal-support-hijackthis-logs-f11/read-this-before-posting-t3821.htm

Followed by posting a HijackThis log.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 4:20 pm

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11:31, on 07/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\PKVolume\PKVOLUME.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO Class - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [PKVOLUME] C:\Program Files\PKVolume\PKVOLUME.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200881409212
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9222 bytes

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 4:23 pm

more_horiz
Uninstall List

3DNA Desktop
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Audition 3.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Advanced Chess School
ALOT Toolbar
Ape Ripper 4.3.0
Apple Mobile Device Support
Apple Software Update
Applied Accoustics String Studio VS 1 VST DX v1.0
Ashampoo WinOptimizer 4.50
a-squared Free 3.5
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Atomic Alarm Clock 5.81
ATT 1.4 Engine Only (no voices)
Awave Audio v10.1
BassStation
Boggle
Bonjour
Boogle
Broadcom Gigabit Integrated Controller
Carmageddon TDR2000
CCleaner (remove only)
C-Major Audio
Conexant D480 MDC V.92 Modem
ConvertHelper 2.1
Dell ResourceCD
Dell Wireless WLAN Card
Directory Lister v0.9.1
Duplicate Cleaner 1.2
Edirol HQ Orchestral VSTi v1.03
eyeQ
EZdrummer
EZXDfh
FLV Player 2.0, build 24
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1108
FLVPlayer4Free Free FLV Player 3.2.0.0
foobar2000 v0.9.5.3
Foxit PDF Editor
Foxit Reader
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) PROSet
intelliScore Ensemble
iTunes
Java(TM) 6 Update 7
Kasparov Chessmate
Kaspersky Anti-Virus 2009
Kaspersky Anti-Virus 2009
K-Lite Codec Pack 4.1.4 (Full)
LiveUpdate 1.6 (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
Lizardtech DjVu Control
Logitech MouseWare 9.79.1
Malwarebytes' Anti-Malware
Marble Blast
MateMaster 1.5
Melodyne plugin
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.18)
MSXML 6.0 Parser (KB933579)
Music Creator v3.06
Native Instruments Kontakt 2
Nero 7 Premium
Neuro-Programmer Professional 2.4.2
Norton AntiVirus Corporate Edition
NoteWorthy Composer
Novation USB Audio Driver 1.2.1
ObjectDock
OpenOffice.org Installer 1.0
Orbit Downloader
Pando
Personal Chess Trainer 2.00.29
Pianoteq v2.2.0
Pianoteq v2.3.0
PKVOLUME version 1.20
PoolStars
PrimoPDF
PSP VintageWarmer v1.6.5
QuickTime
RAM Defrag (remove only)
RAR Repair Tool v.4.0
Recover My Files
reFX Nexus 1.2.1
reFX Nexus 1.3.9
SampleTank 2.5
SCARBEE D6-C Filter
SCARBEE Vintage Keyboard FX
SCRABBLE® Interactive 2007 EDITION Uninstall
ScummVM 0.11.1
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Series II MIDI
Sibelius 5
Space Effect 2.0
Spelling Dictionaries Support For Adobe Reader 8
Steinberg Cubase SE
Steinberg VoiceMachine v1.0
Studio Instruments 1.0
SUPERAntiSpyware Professional
Synful Orchestra
Uniblue RegistryBooster 2009
Uniblue RegistryBooster 2009
Universal Document Converter
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VeohTV BETA
VideoLAN VLC media player 0.8.6i
Virtual Pool 3
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Service Pack 3
WinPcap 4.0
WinRAR archiver
WM Recorder 12.0
WordWeb
World Championship Snooker 2004 Patch
XYplorer 7.60
Yahoo! Install Manager
Yahoo! Toolbar


I know it shows Noton Antivirus on there, it isn't installed, but I cant seem to remove it fully.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 4:29 pm

more_horiz

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present


  • Press "Fix Checked"
  • Close Hijack This.




  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Trojan.Zlob.G Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    Trojan.Zlob.G Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 5:54 pm

more_horiz
ComboFix 08-12-06.04 - Dave 2008-12-07 17:32:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.523 [GMT 0:00]
Running from: c:\documents and settings\Dave\Desktop\mal\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dave\Application Data\Google\kjzna1562565.exe
c:\pinball\www.cshtr.com_3D Pinball Thrillride\cshtr\Desktop_.ini
c:\windows\system32\BbJPAcfe.ini
c:\windows\system32\BbJPAcfe.ini2
c:\windows\system32\mdm.exe
c:\windows\system32\msvcsv60.dll
c:\windows\system32\skinboxer43.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 20:59 . 2008-12-06 20:59 d-------- C:\Downloads
2008-12-06 11:24 . 2008-12-06 11:59 d-------- C:\foroldcomp
2008-12-02 11:29 . 2008-12-02 11:29 0 --a------ c:\windows\system32\FOXIT_PDF
2008-12-01 16:54 . 2008-12-01 16:54 d-------- c:\windows\system32\SuperAdBlocker.com
2008-11-29 19:13 . 2008-11-29 19:13 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-29 19:12 . 2008-12-01 12:26 d-------- c:\program files\SUPERAntiSpyware
2008-11-29 19:12 . 2008-11-29 19:12 d-------- c:\documents and settings\Dave\Application Data\SUPERAntiSpyware.com
2008-11-29 19:04 . 2008-11-29 19:04 d-------- C:\superanti
2008-11-26 19:09 . 2008-11-26 19:09 d-------- c:\program files\GetData
2008-11-25 14:26 . 2008-11-25 14:26 d-------- C:\keys
2008-11-23 16:46 . 2008-11-23 16:46 d-------- c:\program files\Microsoft Silverlight
2008-11-22 13:14 . 2008-11-23 16:01 d-------- c:\program files\PoolStars
2008-11-21 17:27 . 2008-11-29 18:34 d-------- C:\When Im Downstairs
2008-11-13 18:46 . 2008-11-13 18:46 d-------- c:\program files\PKVolume
2008-11-13 16:08 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 16:08 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 16:06 . 2008-11-13 16:06 d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-13 10:29 . 2008-11-13 10:29 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-13 10:29 . 2008-11-13 10:29 d-------- c:\documents and settings\Dave\Application Data\Malwarebytes
2008-11-13 10:29 . 2008-11-13 10:29 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-13 10:29 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 10:29 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 02:22 . 2008-11-29 19:12 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-13 02:18 . 2008-11-13 02:18 d-------- c:\program files\CCleaner
2008-11-12 19:35 . 2008-11-12 19:35 d-------- c:\program files\Trend Micro
2008-11-11 16:35 . 2008-11-11 16:35 0 --a------ c:\windows\VPC32.INI
2008-11-11 15:43 . 2008-11-18 22:17 d-------- c:\windows\system32\CBA
2008-11-11 15:43 . 2008-11-19 01:13 d-------- c:\program files\Symantec
2008-11-11 15:43 . 2008-11-18 22:17 d-------- c:\program files\NavNT
2008-11-11 15:43 . 2008-11-19 01:13 d-------- c:\program files\Common Files\Symantec Shared
2008-11-11 15:43 . 2008-11-19 01:13 d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-11-11 12:05 . 2008-11-11 15:04 d-------- c:\program files\a-squared Free
2008-11-10 17:43 . 2008-11-10 17:43 1,552,244 ---hs---- c:\windows\system32\xbparofu.ini
2008-11-10 12:15 . 2008-11-10 13:14 d-------- C:\RadioBroadcasts
2008-11-10 12:14 . 2008-11-10 12:14 d-------- c:\program files\WinPcap
2008-11-10 12:09 . 2008-11-12 02:36 d-------- c:\program files\WMR11
2008-11-10 10:44 . 2008-11-10 10:45 132 --a------ c:\windows\system32\BookMarkData_0.fil
2008-11-10 10:24 . 2008-11-10 10:24 d-------- c:\program files\Infinite Mind LC
2008-11-10 10:24 . 2002-02-20 14:22 4,141,056 --a------ c:\windows\eyeQ Screen Saver.scr
2008-11-10 10:24 . 2002-02-21 14:57 68 --a------ c:\windows\eyeQ Screen Saver.ini
2008-11-10 10:19 . 2008-11-10 10:19 d-------- C:\iq
2008-11-09 20:15 . 2008-11-12 02:23 d-------- c:\documents and settings\All Users\Application Data\DriverScanner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 17:44 --------- d-----w c:\documents and settings\Dave\Application Data\Orbit
2008-12-07 17:43 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-12-07 17:37 647,200 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-12-07 17:37 4,218,400 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-07 17:37 34,036 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-07 17:37 3,292 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-12-06 21:04 --------- d-----w c:\program files\foxfire
2008-12-06 20:52 --------- d-----w c:\documents and settings\Dave\Application Data\AVS4YOU
2008-12-06 20:52 --------- d-----w c:\documents and settings\Dave\Application Data\Applied Acoustics Systems
2008-12-06 20:52 --------- d-----w c:\documents and settings\Dave\Application Data\Apple Computer
2008-12-06 20:52 --------- d-----w c:\documents and settings\Dave\Application Data\alot
2008-12-06 20:52 --------- d-----w c:\documents and settings\Dave\Application Data\Ahead
2008-12-06 18:03 --------- d-----w c:\program files\XYplorer
2008-12-06 11:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 13:33 --------- d-----w c:\documents and settings\Dave\Application Data\foobar2000
2008-11-29 10:50 --------- d-----w c:\program files\Orbitdownloader
2008-11-26 18:56 --------- d-----w c:\program files\eX-Sense PRO
2008-11-26 18:49 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-11-26 18:49 311,296 ------w c:\windows\Setup1.exe
2008-11-14 18:53 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-13 02:18 --------- d-----w c:\program files\Yahoo!
2008-11-12 20:56 --------- d-----w c:\program files\Trojan Remover
2008-11-12 02:36 --------- d-----w c:\program files\Stardock
2008-11-12 02:36 --------- d-----w c:\program files\NoteWorthy Composer
2008-11-12 02:36 --------- d-----w c:\documents and settings\Dave\Application Data\Azureus
2008-11-12 02:36 --------- d-----r c:\program files\TypingMaster
2008-11-12 02:28 --------- d-----w c:\program files\Windows Live Toolbar
2008-11-12 02:25 --------- d-----w c:\program files\Windows Live
2008-11-12 02:23 --------- d-----w c:\program files\Uniblue
2008-11-12 02:23 --------- d-----w c:\documents and settings\Dave\Application Data\Uniblue
2008-11-12 02:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-12 02:17 --------- d-----w c:\program files\Dziobas Rar Player
2008-11-12 02:17 --------- d-----w c:\program files\Azureus
2008-11-12 02:16 --------- d-----w c:\program files\Advanced File Organizer
2008-11-10 23:15 96,976 ----a-w c:\windows\system32\drivers\klin.dat
2008-11-05 20:34 --------- d-----w c:\documents and settings\Dave\Application Data\WordWeb
2008-11-03 22:39 --------- d-----w c:\documents and settings\Dave\Application Data\Yandex
2008-11-01 17:26 --------- d-----w c:\documents and settings\Dave\Application Data\FLVPlayer4Free
2008-11-01 17:24 --------- d-----w c:\program files\FLVPlayer4Free
2008-11-01 17:16 --------- d-----w c:\program files\Desktop Lighter
2008-10-26 11:20 --------- d-----w c:\program files\Pando Networks
2008-10-26 00:13 --------- d-----w c:\program files\foobar2000
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 15:37 --------- d-----w c:\program files\IK Multimedia
2008-10-21 15:37 --------- d-----w c:\documents and settings\All Users\Application Data\IK Multimedia
2008-10-20 17:26 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-10-19 22:27 --------- d-----w c:\program files\Pianoteq 2.3
2008-10-19 12:21 87,855 ----a-w c:\windows\system32\drivers\klick.dat
2008-10-19 12:20 --------- d-----w c:\program files\Kaspersky Lab
2008-10-19 11:25 --------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2008-10-19 11:12 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-11 14:28 --------- d-----w c:\program files\Kasparov Chessmate
2008-10-10 18:23 --------- d-----w c:\program files\Personal Chess Trainer
2008-04-25 01:41 604 ---ha-w c:\program files\STLL Notifier
2007-02-02 02:02 8,877 ----a-w c:\program files\NoGRP.txt
2006-09-21 14:18 6,730,825 ----a-w c:\program files\Magnus Choir.dat
2006-09-21 14:17 1,859,584 ----a-w c:\program files\Magnus Choir.dll
2006-08-28 22:53 33,632 ----a-w c:\program files\Magnus_Choir_License_Agreement.pdf
2006-08-28 22:32 132,153 ----a-w c:\program files\Magnus_Choir_Info.pdf
2006-08-12 18:14 40,616 ----a-w c:\program files\Magnus_Choir_Info.chm
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 5:55 pm

more_horiz
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 94208]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-11 1739264]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-01 1805552]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-11 339968]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-07-07 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 206088]
"PKVOLUME"="c:\program files\PKVolume\PKVOLUME.exe" [2003-02-25 205824]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Dave\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2008-04-27 44384]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-07-08 1690824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-01 12:26 352256 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2006-08-03 03:20 188482 c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"midi1"= ma_cmidn.dll
"midi2"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"c:\\Program Files\\XYplorer\\XYplorer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57326:TCP"= 57326:TCP:Pando P2P TCP Listening Port
"57326:UDP"= 57326:UDP:Pando P2P UDP Listening Port

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
R2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" [2008-11-13 170640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys [2008-11-13 15504]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\DRIVERS\ozscr.sys [2005-04-21 92550]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-09-26 21920]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\DRIVERS\nvnusbaudio.sys [2008-04-17 26112]
S3 SaiH5F0D;SaiH5F0D;c:\windows\system32\DRIVERS\SaiH5F0D.sys [2008-05-11 176640]
S3 SaiU5F0D;SaiU5F0D;c:\windows\system32\DRIVERS\SaiU5F0D.sys [2008-05-11 27264]
.
Contents of the 'Scheduled Tasks' folder

2008-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Smax4 - c:\documents and settings\Dave\Application Data\Google\kjzna1562565.exe
Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
FireFox -: Profile - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\hqtk1vra.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://uk.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 17:42:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1416)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\S24EvMon.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\RegSrvc.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\1XConfig.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Orbitdownloader\orbitnet.exe
.
**************************************************************************
.
Completion time: 2008-12-07 17:50:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 17:49:59

Pre-Run: 6,802,563,072 bytes free
Post-Run: 6,711,857,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

265 --- E O F --- 2008-10-19 15:13:26

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 5:58 pm

more_horiz
Looks good, what problems remain?

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 8:07 pm

more_horiz
The problem does appear to be fixed. Much appreciated, thanks.

Will I be protected from this threat in the future, or would I have to repeat the process again sometime?
The only issue is with my volume icon in systray, but I guess that is another topic.

Regards
Dave

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 9:07 pm

more_horiz
Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

  • First, unzip it.
  • Then run JavaRa.
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 10:56 pm

more_horiz
JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Dec 07 22:54:19 2008

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: C:\Program Files\Java\jre1.6.0_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\JavaSoft\Java2D\1.6.0_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G7th December 2008, 10:57 pm

more_horiz
We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. Big Grin

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G8th December 2008, 12:28 am

more_horiz
Just before i do these actions....

Do I uninstall. Super anti spyware and Malware bytes, and use the programs you suggested? On the Firefox issue, it's the only browser I use, so is there an issue showing that I use IE?

I would install the programs you listed on top of the ones I have, but I don't want to cause any conflicting issues. I'll certainly uninstall these if they are more effective

Regards

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G8th December 2008, 12:37 am

more_horiz
Hello.
Don't install any of the programs listed, SAS and MBAM should be enough.

If you use Firefox and install these two add-ons I have listed, you'll be safe.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G8th December 2008, 12:44 am

more_horiz
Brilliant. Will a firewall running with Kaspersky cause the system to the screen of death? I was considering using Norton on this machine...but that is all I need to know. I firewall, i'm sure I need, I assumed Kaspersky would have one.

Most thanks for all your prompt informative responses.

Regards
Dave

Thank You!

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G8th December 2008, 12:47 am

more_horiz
No, they won't conflict.

Don't go to Norton whatever you do. Goofy

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G31st December 2008, 7:21 am

more_horiz
Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionTrojan.Zlob.G EmptyRe: Trojan.Zlob.G

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum