Zlob.G

Hi, on my laptop i have the above trojan and it wont let me go onto the internet or anything. I have AVG Anti-virus installed it says it cannot remove it.

I have run the ComboxFix installer like i have read on other threads and this is the report i recieved:


ComboFix 08-12-09.03 - Anna Smith 2008-12-10 19:16:50.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6000.0.1252.1.1033.18.1072 [GMT 0:00]
Running from: F:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ShoppingReport
D:\Autorun.inf
d:\recycler\autorun.inf
d:\recycler\desktop.ini
d:\recycler\Folder.htt
d:\recycler\info.exe
d:\recycler\protect.ed
d:\recycler\warning.bmp
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-09 15:22 . 2008-12-09 15:22 d-------- C:\PerfLogs
2008-12-09 14:37 . 2008-12-09 18:29 d-a------ c:\users\All Users\TEMP
2008-12-09 14:37 . 2008-12-09 18:29 d-a------ c:\programdata\TEMP
2008-12-09 14:35 . 2008-12-09 14:35 d-------- c:\users\Anna Smith\AppData\Roaming\Download Manager
2008-12-09 14:14 . 2008-12-10 15:00 d-------- C:\80158e8d5157819464
2008-12-09 14:12 . 2008-12-09 14:12 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-09 11:14 . 2008-12-09 14:01 d-------- c:\program files\Perfect Defender 2009
2008-12-03 10:12 . 2008-10-16 21:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-03 10:12 . 2008-10-16 20:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-03 10:12 . 2008-10-16 21:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-03 10:12 . 2008-10-16 21:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-03 10:11 . 2008-10-16 21:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-03 10:11 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-03 10:11 . 2008-10-16 20:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-03 10:11 . 2008-10-16 21:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-03 10:11 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-26 17:25 . 2008-10-21 05:16 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 17:25 . 2008-08-28 03:24 712,192 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 17:25 . 2008-08-28 03:24 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 17:25 . 2008-08-28 03:24 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 17:25 . 2008-10-22 03:43 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-26 17:25 . 2008-10-22 03:43 160,768 --a------ c:\windows\System32\PortableDeviceTypes.dll
2008-11-26 17:25 . 2008-10-22 03:43 95,232 --a------ c:\windows\System32\PortableDeviceClassExtension.dll
2008-11-13 20:37 . 2008-08-26 01:11 211,456 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-13 13:13 . 2008-09-05 04:48 1,194,496 --a------ c:\windows\System32\msxml3.dll
2008-11-13 13:13 . 2008-09-05 04:45 2,048 --a------ c:\windows\System32\msxml3r.dll
2008-11-13 13:12 . 2008-09-10 03:25 1,341,440 --a------ c:\windows\System32\msxml6.dll
2008-11-13 13:12 . 2008-09-10 03:21 2,048 --a------ c:\windows\System32\msxml6r.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 19:20 --------- d-----w c:\programdata\Kontiki
2008-12-10 19:07 --------- d-----w c:\users\Anna Smith\AppData\Roaming\AVG7
2008-12-10 15:00 --------- d-----w c:\programdata\avg7
2008-12-10 14:58 --------- d-----w c:\program files\Windows Sidebar
2008-12-10 14:58 --------- d-----w c:\program files\Windows Photo Gallery
2008-12-10 14:58 --------- d-----w c:\program files\Windows Mail
2008-12-09 18:02 --------- d-----w c:\users\Anna Smith\AppData\Roaming\LimeWire
2008-12-09 14:11 --------- d-----w c:\program files\Java
2008-12-08 19:27 --------- d-----w c:\users\Anna Smith\AppData\Roaming\Grisoft
2008-12-08 19:27 --------- d-----w c:\users\Anna Smith\AppData\Roaming\Freewire
2008-12-08 19:27 --------- d-----w c:\users\Anna Smith\AppData\Roaming\dvdcss
2008-11-04 22:05 --------- d-----w c:\users\Anna Smith\AppData\Roaming\vlc
2008-11-01 22:14 --------- d-----w c:\program files\VideoLAN
2008-10-26 15:47 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 16:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-09-16 00:14 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w c:\windows\System32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\System32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\System32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\System32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\System32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\System32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\System32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\System32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-07-09 18:51 174 --sha-w c:\program files\desktop.ini
2008-05-11 09:42 0 ----a-w c:\users\Anna Smith\AppData\Roaming\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Smax4v"="c:\users\Anna Smith\AppData\Roaming\Google\windep.exe" [2008-12-08 128000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-07 240640]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-17 590848]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-17 40072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-01 219136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-12-01 20:29 9216 c:\windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E686601F-D7A1-467E-8D62-1D28EC58730B}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{07778690-4E66-49B3-BDFB-52543D31A8F6}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{0A973971-2AD6-48DB-B95D-CCA002A39983}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{A740235D-96BE-448D-81F4-6BE3759573D6}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{A63090C7-2BF8-4A34-A29C-FB1270757E58}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{AE8B5C06-126C-4B54-9899-AEEBDE01F549}"= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{2E8ED448-340E-4BBA-96B7-CEA8EEC3BB5D}"= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{6EABA2FE-3EAD-42B8-BAD5-464A62A3DF02}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{5BD358EA-44B7-45A0-B8D4-427C0E69A781}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{6CC5AAEB-AA93-4FB4-A9FF-71F1EFC6FD8E}"= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"{D7E7FA0F-47A6-4ABC-868A-5997995A734B}"= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe:BlueSoleil
"TCP Query User{2F72941B-C471-49A7-97E7-4EC85A6882EC}c:\\program files\\freewire\\freewire television\\freewire television.exe"= UDP:c:\program files\freewire\freewire television\freewire television.exe:Freewire Television
"UDP Query User{D9C17BDC-3FEB-45C1-B6DD-CC0F0BD2655F}c:\\program files\\freewire\\freewire television\\freewire television.exe"= TCP:c:\program files\freewire\freewire television\freewire television.exe:Freewire Television

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\system32\Drivers\avgwfp.sys [2007-12-01 53768]
R3 RTL8187;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2007-05-07 205312]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_GB&Sys=PTB&M=ML6227B
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_GB&Sys=PTB&M=ML6227B
uInternet Settings,ProxyOverride =
FireFox -: Profile - c:\users\Anna Smith\AppData\Roaming\Mozilla\Firefox\Profiles\9lj6tf3o.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 19:20:19
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\ANNASM~1\AppData\Local\Temp\catchme.dll

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-12-10 19:21:42
ComboFix-quarantined-files.txt 2008-12-10 19:21:27

Pre-Run: 35,157,340,160 bytes free
Post-Run: 35,238,715,392 bytes free

174 --- E O F --- 2008-12-09 14:11:27

Dont really know what to do next, any help would be appreciated.

Hello.

Please download Flash_Disinfector from HERE

• First, download it to your desktop.
  
• Now double click it to run it and will tell it you what to do when you open it.
  
• It will temporarily kill explorer.exe and your desktop will go blank.
  
• Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  
• It will make a dummy autorun.inf in the root of every drive.
  
• You can now delete Flash_Disinfector.exe.
  

Next,

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  c:\program files\Perfect Defender 2009
  c:\users\Anna Smith\AppData\Roaming\Google\windep.exe
  
  :reg
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "Smax4v"=-
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
Folder move failed. c:\program files\Perfect Defender 2009 scheduled to be moved on reboot.
c:\users\Anna Smith\AppData\Roaming\Google\windep.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Smax4v not found.
========== COMMANDS ==========
File delete failed. C:\Users\ANNASM~1\AppData\Local\Temp\~DF5E37.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\lpksetup-20081210-210824-0.log scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\lpksetup-20081210-210843-0.log scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\MpCmdRun.log scheduled to be deleted on reboot.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_151145

Looks good, what problems remain?

Its fine now thanks mate. Much appreciated!!!

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.