| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 95470 | 2008-12-07 21:05:00 | trojan.zlob.g | followthewhiterabbit (14385) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 726551 | 2008-12-07 21:05:00 | Hey all, Having some serious issues with this trojan.zlob.g popup, 95% sure i got it yesterday surfing oddee (LINK REMOVED, POSSIBLE MALWARE). A little command window poped under my firefox browser and averything went downhill from there. As soon as i realised what happened i ran ccleaner and cleaned up my temp internet folder in the vain hope of deleting whatever had got on to my pc. This trojan pops every 15min or so as windows security center and tries to get me to download a rogue a/v program but luckly i was not fooled! It's really annoying though, as it closes my firefox when i try to surf - so im either on my girlfirends laptop or my work computer trying to figure this mess out. I was on youtube and google and theres a bunch of different people saying to stop these certian processes in task manager (msmsgs.exe, dumpserv.com, nvctrl.exe...etc) - so i look for them and they're not there?! I go regedit and cmd to delete selected regestry values and keys and they're not ther either! But the popup still continues to pop on up. I do a full scan with adaware/avast/maleware bytes/spyware doctor and all come up with nothing suspicious. So i turn off system restore and do a full scan with said a/v programs in safe mode over night and i still get nothing. So im at a loss as to what to do about this. I've been reading around that this trojan could possibly create unique regestry keys for whatever computer it gets itself on to, making it damn hard to find and get rid of. I checked some other threads to do with trojans and was wondering if there's anyone out there who can guide me through this issue? Would really appreciate it. |
followthewhiterabbit (14385) | ||
| 726552 | 2008-12-07 21:10:00 | Try what it says here (www.symantec.com) Under removal. Make sure you disable system restore as well Run Trojan remover below as well. Update it, then scan, then select all options under utilities |
Speedy Gonzales (78) | ||
| 726553 | 2008-12-07 22:01:00 | This should fix it... Please download Malwarebytes' Anti-Malware from one of these places: www.majorgeeks.com www.besttechie.net Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire report in your next reply along with a fresh HijackThis log. Please Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. |
Pancake (6359) | ||
| 726554 | 2008-12-08 06:10:00 | Thanks for your guys quick response - Think i found it! :banana avast updated today when i got home and it picked it up same time spybot did and trojan remover got rid of it neatly . mailware bytes didnt do much but i'll post the log anyway . The trojan was in my C:\Documents and Settings\##myusername##\Application Data\Google\kjzna1562565 . exe little bugger! anyway here's the logs: Malwarebytes' Anti-Malware 1 . 31 Database version: 1472 Windows 5 . 1 . 2600 Service Pack 3 8/12/2008 7:09:42 p . m . mbam-log-2008-12-08 (19-09-42) . txt Scan type: Quick Scan Objects scanned: 51122 Time elapsed: 3 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 6:54:21 p . m . , on 8/12/2008 Platform: Windows XP SP3 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v7 . 00 (7 . 00 . 6000 . 16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\Ati2evxx . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\Lavasoft\Ad-Aware\aawservice . exe C:\Program Files\Alwil Software\Avast4\aswUpdSv . exe C:\Program Files\Alwil Software\Avast4\ashServ . exe C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe C:\Program Files\Bonjour\mDNSResponder . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\Common Files\LightScribe\LSSrvc . exe C:\WINDOWS\system32\Ati2evxx . exe C:\Program Files\Nero\Nero8\Nero BackItUp\NBService . exe C:\WINDOWS\Explorer . EXE C:\WINDOWS\System32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\Program Files\802 . 11 Wireless LAN\802 . 11g Pen Size Wireless USB 2 . 0 Adapter HW . 32 V1 . 10\SiSWLSvc . exe C:\WINDOWS\system32\svchost . exe C:\Program Files\Alwil Software\Avast4\ashMaiSv . exe C:\Program Files\Alwil Software\Avast4\ashWebSv . exe C:\WINDOWS\RTHDCPL . EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp . exe C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe C:\Program Files\HP\HP Software Update\HPWuSchd2 . exe C:\Program Files\Java\jre1 . 6 . 0_07\bin\jusched . exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx . exe C:\Program Files\iTunes\iTunesHelper . exe C:\Program Files\DAEMON Tools Lite\daemon . exe C:\Program Files\SlySoft\AnyDVD\AnyDVDtray . exe C:\Program Files\Spybot - Search & Destroy\TeaTimer . exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08 . exe C:\Program Files\802 . 11 Wireless LAN\802 . 11g Pen Size Wireless USB 2 . 0 Adapter HW . 32 V1 . 10\WlanCU . exe C:\Program Files\iPod\bin\iPodService . exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08 . exe C:\WINDOWS\system32\wuauclt . exe C:\Program Files\Mozilla Firefox\firefox . exe C:\Documents and Settings\Simon Brunton\Desktop\HijackThis . exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www . google . co . nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = . adobe . com/store/general/redirect . jhtml?serial=104510499769229835750314" target="_blank">store . adobe . com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = * . local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper . dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 6 . 0_07\bin\ssv . dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin . dll O4 - HKLM\ . . \Run: [IgfxTray] C:\WINDOWS\system32\igfxtray . exe O4 - HKLM\ . . \Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd . exe O4 - HKLM\ . . \Run: [Persistence] C:\WINDOWS\system32\igfxpers . exe O4 - HKLM\ . . \Run: [RTHDCPL] RTHDCPL . EXE O4 - HKLM\ . . \Run: [SkyTel] SkyTel . EXE O4 - HKLM\ . . \Run: [Alcmtr] ALCMTR . EXE O4 - HKLM\ . . \Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp . exe O4 - HKLM\ . . \Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" O4 - HKLM\ . . \Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2 . exe O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 6 . 0_07\bin\jusched . exe" O4 - HKLM\ . . \Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan . exe" O4 - HKLM\ . . \Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck . exe" /L ElbyDelay O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck . exe O4 - HKLM\ . . \Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier . exe O4 - HKLM\ . . \Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx . exe O4 - HKLM\ . . \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper . exe" O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask . exe" -atboottime O4 - HKLM\ . . \Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan . exe /boot O4 - HKCU\ . . \Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon . exe" -autorun O4 - HKCU\ . . \Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray . exe O4 - HKCU\ . . \Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer . exe O4 - HKUS\S-1-5-19\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'SYSTEM') O4 - HKUS\ . DEFAULT\ . . \Run: [CTFMON . EXE] C:\WINDOWS\system32\CTFMON . EXE (User 'Default user') O4 - Startup: Adobe Gamma . lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader . exe O4 - Startup: PowerReg Scheduler . exe O4 - Global Startup: HP Digital Imaging Monitor . lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08 . exe O4 - Global Startup: Wireless Configuration Utility HW . 32 . lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL . EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_07\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 6 . 0_07\bin\ssv . dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR . DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper . dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau . dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . update . microsoft . com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site . cab?1205358499997" target="_blank">www . update . microsoft . com O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice . exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc . exe O23 - Service: Apple Mobile Device - Apple Inc . - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv . exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc . - C:\WINDOWS\system32\Ati2evxx . exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag . exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ . exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv . exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv . exe O23 - Service: Bonjour Service - Apple Inc . - C:\Program Files\Bonjour\mDNSResponder . exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd . - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService . exe O23 - Service: iPod Service - Apple Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc . exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing . exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService . exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService . exe O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802 . 11 Wireless LAN\802 . 11g Pen Size Wireless USB 2 . 0 Adapter HW . 32 V1 . 10\SiSWLSvc . exe -- End of file - 9503 bytes |
followthewhiterabbit (14385) | ||
| 726555 | 2008-12-08 07:05:00 | Yep thats good.You should be fine now. | Pancake (6359) | ||
| 726556 | 2008-12-08 07:19:00 | If you want, you can tick these entries then tick fix checked Close browsers These are safe, but dont have to run on startup O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe I would uninstall all versions of Java, then update it. Link below |
Speedy Gonzales (78) | ||
| 726557 | 2008-12-08 11:46:00 | Hi all, i just finished dumping that trojan.zlob.g and i noticed, everytime i would go to my MSCONFIG to see what was running an small *ERROR window would appear and then the O.S. would restart everytime i closed that window, but all is good now thanks to the great advice in this thread. I need to put fourth only one question, i have a program in my startup that is called _A00F1E1849D.EXE ....i googled it and there were 0 matches can someone please tell me what the hell this is ?? thanx all |
Mr Eggy (14386) | ||
| 726558 | 2008-12-08 14:50:00 | Virus/Trojan / nasty delete it |
apsattv (7406) | ||
| 726559 | 2008-12-08 20:39:00 | Hey thanks Speedy + pancake for your guys advice. I fixed those issues in hijackthis and pc's doing well (perhaps better than before?) Anyways, just letting you know im very greatful for the quick assistance. | followthewhiterabbit (14385) | ||
| 726560 | 2008-12-08 20:41:00 | Cool, good to hear :) | Speedy Gonzales (78) | ||
| 1 2 | |||||