Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

zlob trojan horse downloader

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

zlob trojan horse downloader

Unread postby mfred » August 22nd, 2009, 2:43 pm

hello, and thanks for your help

last week i ran a avg system scan and it told me that i have trojan horse downloader zlob.aoec and aoed. it told me it moved some of them to the virus vault. but when i reboot their baaackk. it wont let me romove or delete them. some of the files it cannot "heal" has the file name:
c:\program files\internet explorer\iexplore.exe.(3404)
c:\windows\explorer.exe(1654)
c:\windows\system32\svchost.exe(1048)
c:\program files\mozilla firefox\firefox.exe(2412)
i ran many different scanners(mbam, avara, spybot adaware). adaware said i have win32 trojan agent. Other forums said to try smitfraudfix, and fixidef, but i'm not sure what to do after running these programs.

if someone has time to help i would appreciate it greatly. if not, is there somewhere i can go to learn more about this stuff

thanks again

mfred




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:17:52, on 8/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se4009.cab
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,C:\WINDOWS\TEMP\331832kou.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4937 bytes
mfred
Regular Member
 
Posts: 16
Joined: August 22nd, 2009, 2:03 pm
Advertisement
Register to Remove

Re: zlob trojan horse downloader

Unread postby askey127 » August 25th, 2009, 3:51 pm

mfred,
Sorry for the delay.
This is kind of long, but you can do it. Just one step at a time.
-----------------------------------------------------------
Disable Ad-Aware Service
This will work for either version 2007 or 2008
Go to Start, Run OR Start, Programs, Accessories, Command Prompt and type services.msc and click OK.
Under the Extended Tab, find one of these services, depending on which version you have:
Ad-Aware 2007 Service or Lavasoft Ad-Aware Service
Click once on the service to highlight it.
Right-Click on the service. Click on Properties
Select the General tab.
Next to Service Status, click Stop.
Click the Arrow-down tab on the right-hand side of the Start-up Type box.
From the drop-down menu, click on Disabled
Click Apply , then OK
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKCU\..\Run: [MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O20 - AppInit_DLLs: ,C:\WINDOWS\TEMP\331832kou.dll

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Note: Save your work. TFC will automatically close any open programs. Let it run uninterrupted.
  • Double-click TFC.exe to run the program.
  • The scan shouldn't take longer take a couple of minutes, and may only take a few seconds.
  • TFC will most likely require a Reboot. If prompted, click "Yes" to reboot.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!!
If you don't know how to disable your antivirus, stop and ask
  • Download ComboFix from here. Rename it fred.exe and save it to your desktop
  • Disable ALL antivirus/antimalware programs before proceeding!

  • Now start ComboFix (fred.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix (fred) will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix (fred) needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix (fred) is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy is located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix (fred), unplug the cable you use to connect to the internet and plug it back in.

For your reference, if you need it, here is how to disable AVG:
DISABLE AVG 8
Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon in the task bar.
  • Click on Tools.
  • Select Advanced.
  • In the left hand pane, scroll down to "Resident Shield".
  • In the main pane, deselect the option to "Enable Resident Shield."


So we are looking for the Installed programs List from HiJackThis, and the Log from Combofix (fred). Use a separate reply for each if you prefer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: zlob trojan horse downloader

Unread postby mfred » August 26th, 2009, 9:15 pm

askey,

thank you for your instructions . I followed them to the letter. although, when combofix rebooted, my computer locked up before it could prepare the log. so i ran it again. i hope this didn't screw anything up.

thanks again, i wont touch my computer again until you give me the ok.




uninstall list.

Ad-Aware
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG 8.5
Belarc Advisor 7.0
BigFix
BitLord 1.1
Contextual Tool Adssite
Critical Update for Windows Media Player 11 (KB959772)
Digital Media Reader
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
hp deskjet 3500 series
iTunes
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 4
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Money 2005
Microsoft Office Standard Edition 2003
Microsoft Picture It! Premium 10
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Vista Upgrade Advisor
Microsoft Works
Monopoly
Mozilla Firefox (3.0.13)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero OEM
OpenOffice.org 2.4
QuickTime
RealPlayer
Realtek AC'97 Audio
Recovery Software Suite eMachines
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SoftV92 Data Fax Modem with SmartCP
SpyHunter
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Viewpoint Media Player
Winamp (remove only)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinMX
ZoneAlarm
ZoneAlarm Spy Blocker Toolbar




ComboFix 09-08-26.05 - Owner 08/26/2009 19:45.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.964 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\mfred.exe.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\jestertb.dll
c:\windows\patch.exe
c:\windows\run.log
c:\windows\system32\certstore.dat
c:\windows\system32\cont_adssite-remove.exe
c:\windows\system32\drivers\SKYNETpiqvrbqp.sys
c:\windows\system32\drivers\UACklyxqltoxn.sys
c:\windows\system32\gzmrot-uninst.exe
c:\windows\system32\nerocheck.exe
c:\windows\system32\netskt.sys
c:\windows\system32\SKYNETdqvdktur.dll
c:\windows\system32\SKYNEToqwswuyp.dat
c:\windows\system32\SKYNETpvwabrfm.dat
c:\windows\system32\SKYNETuxxeiglk.dll
c:\windows\system32\UACbivppetnkt.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACipereypixm.dat
c:\windows\system32\UACkjitvxdoro.dll
c:\windows\system32\UACrtalqbuxyb.dll
c:\windows\system32\UACsybdvbnmge.db
c:\windows\system32\UACxowkklvten.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETxrmejwfv
-------\Legacy_SKYNETxrmejwfv
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_netskt
-------\Service_netskt


((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 )))))))))))))))))))))))))))))))
.

2009-08-27 00:17 . 2009-08-27 00:43 -------- d-s---w- C:\fred.exe
2009-08-23 21:26 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-23 21:26 . 2009-08-23 21:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-23 21:26 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 13:06 . 2009-08-20 13:06 -------- d-----w- C:\ERDNT
2009-08-20 13:06 . 2009-08-20 13:06 -------- d-----w- c:\windows\ERUNT
2009-08-20 13:05 . 2009-08-20 13:06 -------- d-----w- C:\!FixIEDef
2009-08-18 19:14 . 2009-08-18 19:14 0 ----a-w- c:\documents and settings\Owner\settings.dat
2009-08-18 02:03 . 2009-08-18 02:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-08-18 01:40 . 2009-08-18 15:03 -------- d-----w- c:\program files\Panda Security
2009-08-17 02:59 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-17 02:27 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-17 02:27 . 2009-08-17 02:27 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-17 02:26 . 2009-08-17 02:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-17 02:26 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-17 01:33 . 2009-08-17 01:33 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-17 01:31 . 2009-08-18 15:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-17 01:31 . 2009-08-17 01:31 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-08-16 21:06 . 2009-08-16 21:37 -------- d-----w- C:\SRN Micro
2009-08-13 19:09 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-13 18:56 . 2009-08-13 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-08-13 18:56 . 2009-08-13 19:04 -------- d-----w- c:\program files\PCPitstop
2009-08-13 16:32 . 2009-02-16 05:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-13 16:32 . 2009-02-16 05:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-13 16:32 . 2009-02-16 05:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-08-13 15:58 . 2009-08-13 15:58 -------- d-----w- c:\documents and settings\Owner\Application Data\GlarySoft
2009-08-13 14:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 04:48 . 2009-08-13 04:48 -------- d-----w- c:\documents and settings\Owner\Application Data\MalwareRemovalBot
2009-08-13 01:43 . 2009-08-13 01:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-10 16:59 . 2009-08-10 16:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-28 18:14 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 18:14 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-27 00:08 . 2008-05-29 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-26 23:11 . 2005-08-24 01:31 6614 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-08-23 19:39 . 2009-03-11 01:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 19:39 . 2009-03-11 01:15 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 19:39 . 2009-03-11 01:15 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-23 12:56 . 2007-09-29 03:17 -------- d-----w- c:\program files\Enigma Software Group
2009-08-18 15:04 . 2005-08-05 00:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Shareaza
2009-08-18 00:53 . 2005-01-02 06:35 -------- d-----w- c:\program files\Google
2009-08-17 03:05 . 2009-04-12 21:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-16 21:40 . 2005-11-07 17:15 -------- d-----w- c:\program files\LimeWire
2009-08-16 21:20 . 2005-01-02 06:40 -------- d-----w- c:\program files\Napster
2009-08-15 22:32 . 2006-06-20 19:54 -------- d-----w- c:\program files\Valusoft
2009-08-15 22:30 . 2005-09-12 02:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-15 22:29 . 2005-09-12 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-13 16:43 . 2009-08-13 16:39 65350827 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_25_16_full.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46409 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_25_13_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46866 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_24_47_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46449 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_25_02_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46406 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_25_09_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46120 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_25_06_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 45604 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_24_55_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46462 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_24_45_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46297 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_24_42_small.dmp.zip
2009-08-13 16:39 . 2009-08-13 16:39 46233 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_08_13_11_24_39_small.dmp.zip
2009-08-13 16:33 . 2009-04-01 12:44 -------- d-----w- c:\program files\AskBarDis
2009-08-13 16:32 . 2005-08-02 21:47 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-08-13 04:44 . 2008-11-02 21:18 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-08-13 04:44 . 2008-08-19 21:14 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-08-08 22:40 . 2008-10-16 08:09 16994015 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-08-05 09:01 . 2005-03-23 16:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2005-03-23 16:53 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-25 08:25 . 2005-03-23 16:52 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-03-23 16:52 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-03-23 16:52 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-03-23 16:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-03-23 16:52 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-03-23 16:52 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-03-23 16:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-03-23 16:52 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-03-23 16:52 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-03-23 16:52 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2005-03-23 18:08 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-03-23 16:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-03-23 16:53 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-03-23 16:52 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-07-26 01:39 . 2005-07-26 01:39 0 --sha-w- c:\windows\SMINST\HPCD.sys
2009-04-13 18:18 . 2006-07-05 22:33 785 --sha-w- c:\windows\system32\mmf.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-23 2007832]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 19:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ORB.lnk]
backup=c:\windows\pss\ORB.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Backyard Hockey 2005 Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Backyard Hockey 2005 Registration.lnk
backup=c:\windows\pss\Backyard Hockey 2005 Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"vsmon"=2 (0x2)
"ose"=3 (0x3)
"LicCtrlService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"ASKService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"hkmsvc"=3 (0x3)
"helpsvc"=2 (0x2)
"BITS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\utorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\SRN Micro\\SOLOCFG.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/16/2009 9:27 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/10/2009 8:15 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/10/2009 8:15 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/10/2009 8:15 PM 297752]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [4/1/2009 7:44 AM 464264]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [7/5/2006 5:33 PM 2560]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-08-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 18:42]
.
.
------- Supplementary Scan -------
.
uStart Page =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Extermin ... iVirus.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gq3e2p55.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://online.tvguide.com/listings/
FF - prefs.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----

FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www1.yoog.com/search.php?q=
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www1.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 19:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,
e3
"2"=hex:f1,df,16,de,80,08,0e,2a,78,a4,28,cb,d2,56,ff,58,a6,09,d8,fb,43,e9,d5,
e7,16,83,71,61,5d,be,d8,25
"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,2b,92,4b,0d,22,14,9d,
cb,e3,f8,73,90,7d,a4,36,0d,7e,db,3a,16,4c,1a,45,81,b1,a5,77,31,f5,50,d6,e8

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,36,d7,56,53,fe,9f,3d,f9
"2"=hex:c8,8f,7e,e1,28,bb,79,e1
"3"=hex:c7,0b,2e,59,32,a7,00,8e,23,db,a1,bd,f0,bc,1d,c9,6a,37,ee,b5,fc,36,c4,
15,41,e3,f5,dc,85,6c,d7,d5,ac,6b,c5,61,0d,a0,b7,cf,30,38,79,81,ab,7d,2e,74,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,
97,9f,f9,03,77,68,81,1b,0c,47,9b,87,b8,63,74,7d,34
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,
63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:70,78,9a,0e,0e,b6,0b,80
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-27 19:51
ComboFix-quarantined-files.txt 2009-08-27 00:51

Pre-Run: 139,740,573,696 bytes free
Post-Run: 139,715,055,616 bytes free

286 --- E O F --- 2009-08-15 13:34
mfred
Regular Member
 
Posts: 16
Joined: August 22nd, 2009, 2:03 pm

Re: zlob trojan horse downloader

Unread postby askey127 » August 27th, 2009, 7:33 am

mfred,
Please re-enable your AVG Antivirus and Zone Alarm Firewall.
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?f=11&t=33112
As a condition of receiving our help, I have included the P2P program Bitlord in the removal instructions below, so we are not wasting our time.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

BitLord 1.1
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 4
SpyHunter

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
------------------------------------------------------------
Download the latest version of Java Runtime Environment here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
Scroll down - It is currently the 5th item on the page (the page changes often), called JRE 6 Update 16
Select Windows and multi-language, and check to agree to the license.
Choose Windows Offline installation version.
Download it, choose Save, and save it to your desktop.
Then doubleclick it, and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
-----------------------------------------------------------
Run TFC from your desktop again. Let it reboot when it asks.
-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to each folder shown below, highlight each one in turn shown in red, if found, and press Delete.

C:\Program Files\AskbarDis\ <== this folder only
C:\Program Files\Enigma Software Group\ <== this folder only

You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
If you need to delete underlying files in a folder and are unable to do so:
Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that,, note the name of the file, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware
Please go here to the Download Location, click on Download.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Choose Desktop as the location to save the installer and click Save again.
  • You should now have a desktop icon named mbam-setup.exe. Double-click it.
  • Let it install the program where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Be sure that every item is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2009-mm-dd(hour-min-sec).txt
  • You can now delete the installer icon, named mbam-setup.exe from your desktop.

So we are looking for the Malwarebytes Anti-Malware log. Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: zlob trojan horse downloader

Unread postby mfred » August 27th, 2009, 12:53 pm

Askey,

thank you for your quick responses. Again your instructions were clear and concise. Here is the requested log. I have a feeling were close, but i will wait for your final word.

thanks again
mfred





Malwarebytes' Anti-Malware 1.40
Database version: 2706
Windows 5.1.2600 Service Pack 3

8/27/2009 11:34:38 AM
mbam-log-2009-08-27 (11-34-38).txt

Scan type: Quick Scan
Objects scanned: 96978
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Log\2009 Aug 13 - 08_58_36 AM_984.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Log\2009 Aug 13 - 11_00_53 AM_703.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Log\2009 Aug 13 - 11_07_23 AM_781.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Log\2009 Aug 13 - 11_08_20 AM_734.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Log\2009 Aug 13 - 11_08_44 AM_859.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Log\2009 Aug 13 - 11_16_33 AM_921.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
mfred
Regular Member
 
Posts: 16
Joined: August 22nd, 2009, 2:03 pm

Re: zlob trojan horse downloader

Unread postby askey127 » August 27th, 2009, 3:45 pm

mfred,
Good results.
Delete this folder if it still exists:
-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to each folder shown below, highlight each one in turn shown in red, if found, and press Delete.

C:\Program Files\MalwareRemovalBot\ <== this folder only

You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
If you need to delete underlying files in a folder and are unable to do so:
Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that,, note the name of the file, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.

Let's run one more scan to be sure we got everything.
-----------------------------------------------------
Run an Online Kaspersky WebScan
  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the Program and Database downloads have finished, (may take a while), Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post the contents of this log in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: zlob trojan horse downloader

Unread postby mfred » August 27th, 2009, 6:55 pm

Askey,

here is the scan results. looks like a few more problems

mfred




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, August 27, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, August 27, 2009 20:39:15
Records in database: 2692678
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 58184
Threats found: 9
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 01:30:35


File name / Threat / Threats count
C:\Documents and Settings\Owner\.housecall\Quarantine\javainstaller.jar-5aa0b436-5de5fe03.zip.bac_a56116 Infected: Trojan-Downloader.Java.OpenStream.w 1
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\javainstaller.jar-5aa0b436-5de5fe03.zip.bac_a56116 Infected: Trojan-Downloader.Java.OpenStream.w 1
C:\Documents and Settings\Owner\Desktop\gusetup.exe Infected: Virus.Win32.Induc.a 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETpiqvrbqp.sys.vir Infected: Trojan.Win32.TDSS.amve 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETdqvdktur.dll.vir Infected: Trojan.Win32.Tdss.anuv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETuxxeiglk.dll.vir Infected: Trojan.Win32.Tdss.anus 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbivppetnkt.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkjitvxdoro.dll.vir Infected: Trojan.Win32.Tdss.anre 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrtalqbuxyb.dll.vir Infected: Trojan.Win32.Tdss.anrd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxowkklvten.dll.vir Infected: Trojan.Win32.TDSS.amha 1

Selected area has been scanned.
mfred
Regular Member
 
Posts: 16
Joined: August 22nd, 2009, 2:03 pm

Re: zlob trojan horse downloader

Unread postby askey127 » August 28th, 2009, 6:32 am

mfred,
Home stretch here. A few things to tidy up and make your machine a bit safer.
-----------------------------------------------------------
Right click fred.exe on your desktop and rename it back to ComboFix.exe
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the Combofix and the /u
-----------------------------------------------------------
If you have a file on your desktop named gusetup.exe, delete it.
-----------------------------------------------------------
Replace the Current HOSTS File
Download HostsXpert and unzip it to your computer, somewhere where you can find it.
  • Double click on HostsXpert.exe to launch the program.
  • Check to see if top button on left hand side says Make Writable ?
    • If it does. click on it, then proceed to next instruction.
    • If not, just proceed to next instruction
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only ? to secure it against infection.
  • Exit the program.
You can read about HOSTS files here: http://www.mvps.org/winhelp2002/hosts.htm
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.

If you keep your Antivirus up to date, and run an update/scan with Malwarebytes' AntiMalware every week or so, that should be all you need for antivirus and antispyware protection.
You should be all set.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: zlob trojan horse downloader

Unread postby mfred » August 28th, 2009, 6:17 pm

mission complete!!

you are awesome.


many , many thanks.

mfred
mfred
Regular Member
 
Posts: 16
Joined: August 22nd, 2009, 2:03 pm

Re: zlob trojan horse downloader

Unread postby askey127 » August 28th, 2009, 7:56 pm

mfred, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware