Free Antivirus Forum - Learn about antivirus, firewalls and personal security

Trojan zlob.n

BullGuard Antivirus Forum > Virus Removal > Removal Help > Trojan zlob.n

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

drunkensoldier
New Member

Date Joined Aug 2007
Total Posts : 6

Posted 8/5/2007 1:11 AM (GMT +3)

Hey,

Downloaded trojan.zlob.n and Virusprotectpro, Virus software caught both and quarantined tham. They had already downloaded the virusprotectpro toolbar etc. Now search results are redirected to other sites, windows explorer crashes all the time, system scan crashes during scan and excel wont run. None of the reg edits associated with the viruses are in the registry.

Can someone give me an idea of the best course of action?

Thanks

Andrei M
Senior Member

Date Joined Jan 2005
Total Posts : 570

Posted 8/5/2007 1:32 AM (GMT +3)

Hello.
Please see this page on how to start so we can see some logs'n stuff.

Andrei M
Microsoft Certified Professional
BullGuard Support Team | support[at]bullguard[dot]com

---------
If more than 24hrs have passed since my last reply on your thread, send me a private message to remind me.
---------

drunkensoldier
New Member

Date Joined Aug 2007
Total Posts : 6

Posted 8/5/2007 2:17 AM (GMT +3)

AVG finds about 1 virus and about 50 cookies before crahing like my antivirus software

ComboFix returns a corrupt file error and displays this;

Extracting DelClsid.bat

Extracting FIND3M.bat

Extracting FIXLSP.bat

Extracting history.bat

Extracting List-C.bat

Extracting Look2Me.bat

Extracting MoveIt.bat

Extracting NTP.bat

Extracting Qoo.bat

Extracting Sys.bat

Extracting upload.bat

Extracting nircmd.exe

CRC failed in nircmd.exe

Unexpected end of archive

rootcheck and hijack follow

********************************* ROOTCHK-(21-07-07)-LOG, by ejvindh

04/08/2007 23:44:49.48

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-04 23:44:51

Windows 5.1.2600 Service Pack 2

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden processes ...

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden services & system hive ...

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden registry entries ...

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden files ...

hidden processes: 0

hidden files: 0

Logfile of HijackThis v1.99.1

Scan saved at 00:05:43, on 05/08/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Valve\Steam\Steam.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Symantec Shared\NMain.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Documents and Settings\Michael McClelland\Desktop\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL

O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

thanks

Andrei M
Senior Member

Date Joined Jan 2005
Total Posts : 570

Posted 8/6/2007 1:23 AM (GMT +3)

I asked someone to take a second look to the log since I didnt notice anything suspicious in the log.

Will get back to you soon.

drunkensoldier
New Member

Date Joined Aug 2007
Total Posts : 6

Posted 8/6/2007 6:18 PM (GMT +3)

Thanks Andrea,

Had a look at the AVG website and found that the exeption error that i was getting might have been an update problem, downloaded 7.5 trial version and now when i run it finds plenty of cookies but no virus, when I run my own antivirus, an AVG msg comes up (threat detected, while opening ...system32\kddwe.dll .... trojan horse generic5.KUF). i clicked on heal the first time it came up and it said access to the file was denied. The avg log keeps on reporting this but im not sure if its just the virus.

Also the file that norton always trips up on is Zoomifyer EZ v3.0, avg reports this as an exception, dont know if any of this helps.

Andrei M
Senior Member

Date Joined Jan 2005
Total Posts : 570

Posted 8/7/2007 6:35 PM (GMT +3)

Hello. Sorry for the late reply. There was a bug in Combofix that caused that problem, which is now solved.

Please download the tool again, retry my instructions and post the Combofix log.

drunkensoldier
New Member

Date Joined Aug 2007
Total Posts : 6

Posted 8/7/2007 11:10 PM (GMT +3)

Ok, looks like that did the trick, rootcheck, combofix and hijack follow,

Anti virus now runs, it found and removed trojan.zlob.n and found the generic trojan in ..system32\kddwe.exe but can only quarantine.

Everything else seems to be working a bit better, the system is a bit unstable on shutdown/startup but i'll keep running it and see how it goes.

Thanks Andrea

RootCheck Log

********************************* ROOTCHK-(21-07-07)-LOG, by ejvindh

07/08/2007 17:59:52.43

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-07 17:59:54

Windows 5.1.2600 Service Pack 2

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden processes ...

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden services & system hive ...

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden registry entries ...

detected NTDLL code modification:

ZwQueryDirectoryFile

scanning hidden files ...

hidden processes: 0

hidden files: 0

ComboFix Log

ComboFix 07-08-04.3 - "Michael McClelland" 2007-08-07 18:05:49.1 [GMT 1:00] - NTFS

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True

/wow section not completed

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\video activex access

C:\Program Files\video activex access\iesunst.exe

C:\Program Files\video activex access\ot.ico

C:\Program Files\video activex access\ts.ico

C:\Program Files\video activex access\uninst.exe

C:\WINDOWS\system32\kddwe.exe

((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))

2007-08-07 18:03 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-08-07 17:36 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-08-05 16:10 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll

2007-08-05 16:10 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll

2007-08-05 13:54 <DIR> d-------- C:\Program Files\AVG

2007-08-04 23:52 <DIR> d-------- C:\Program Files\CCleaner

2007-08-04 12:16 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys

2007-08-04 11:34 <DIR> d-------- C:\DOCUME~1\MICHAE~1\APPLIC~1\WholeSecurity

2007-07-23 21:58 684,032 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-07-23 21:58 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\Gtek

2007-07-23 21:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver

2007-07-23 21:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec

2007-07-23 21:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc

2007-07-23 21:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Intel

2007-07-19 19:13 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP

2007-07-12 19:59 <DIR> d-------- C:\Program Files\iPod

2007-07-12 19:56 <DIR> d-------- C:\Program Files\Common Files\Apple

2007-07-12 19:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 17:37 --------- d-------- C:\Program Files\Common Files\Symantec Shared

2007-07-29 09:01 --------- d-------- C:\Program Files\Modem Helper

2007-07-29 09:01 --------- d-------- C:\Program Files\Hewlett-Packard

2007-07-29 09:01 --------- d-------- C:\Program Files\DivX

2007-07-29 09:01 --------- d-------- C:\Program Files\Common Files\AOL

2007-07-29 09:01 --------- d-------- C:\Program Files\Apple Software Update

2007-07-26 18:29 --------- d-------- C:\DOCUME~1\MICHAE~1\APPLIC~1\VideoEgg

2007-07-19 19:22 --------- d-------- C:\Program Files\Norton Internet Security

2007-07-19 19:18 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF

2007-07-19 19:18 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-07-19 19:18 48776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL

2007-07-19 19:18 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-07-19 19:18 --------- d-------- C:\Program Files\Symantec

2007-07-12 19:59 --------- d-------- C:\Program Files\iTunes

2007-07-12 19:53 --------- d-------- C:\Program Files\QuickTime

2007-06-17 20:06 --------- d-------- C:\DOCUME~1\MICHAE~1\APPLIC~1\Command & Conquer 3 Tiberium Wars

2007-06-09 11:19 --------- d-------- C:\Program Files\SystemRequirementsLab

2007-06-09 00:05 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2007-06-08 21:40 --------- dr-h----- C:\DOCUME~1\MICHAE~1\APPLIC~1\SecuROM

2007-06-08 21:28 --------- d-------- C:\Program Files\Electronic Arts

2007-05-31 07:45 524288 --a------ C:\WINDOWS\system32\DivXsm.exe

2007-05-31 07:44 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll

2007-05-31 07:44 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll

2007-05-31 07:44 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll

2007-05-31 07:44 740442 --a------ C:\WINDOWS\system32\DivX.dll

2007-05-16 16:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll

2007-05-16 16:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll

2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll

2007-05-16 16:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll

2007-05-16 16:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll

2007-05-16 16:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll

2007-05-08 10:24 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll

2006-03-12 15:45 1634 --a------ C:\Program Files\D2P.exe.config

2005-05-12 12:35 913408 --a------ C:\Program Files\D2P.exe

2005-05-12 12:35 53248 --a------ C:\Program Files\CommonUtils.dll

2005-05-12 12:35 323584 --a------ C:\Program Files\CommonGUI.dll

2005-04-04 11:52 765952 -ra------ C:\Program Files\CDDBUI.dll

2005-04-04 11:52 589824 -ra------ C:\Program Files\CDDBControl.dll

2005-04-04 11:52 143360 --a------ C:\Program Files\Interop.CDDBCONTROLLib.dll

2005-04-04 11:52 12800 --a------ C:\Program Files\Interop.CDDBUICONTROLLib.dll

2005-03-31 12:34 93148 -ra------ C:\Program Files\D2P.chm

2005-03-30 17:02 15360 --a------ C:\Program Files\Autoproxy.dll

2005-03-10 17:39 749568 -ra------ C:\Program Files\mp3enc.dll

2005-03-10 14:06 86016 -ra------ C:\Program Files\CddbLangJA.dll

2005-03-10 14:06 81920 -ra------ C:\Program Files\CddbLangKO.dll

2005-03-10 14:06 77824 -ra------ C:\Program Files\CddbLangZT.dll

2005-03-10 14:06 77824 -ra------ C:\Program Files\CddbLangZH.dll

2005-03-10 14:06 110592 -ra------ C:\Program Files\CddbLangPT_BR.dll

2005-03-10 14:06 110592 -ra------ C:\Program Files\CddbLangNL.dll

2005-03-10 14:06 110592 -ra------ C:\Program Files\CddbLangIT.dll

2005-03-10 14:06 110592 -ra------ C:\Program Files\CddbLangFR.dll

2005-03-10 14:06 110592 -ra------ C:\Program Files\CddbLangES.dll

2005-03-10 14:06 110592 -ra------ C:\Program Files\CddbLangDE.dll

2005-03-10 14:06 106496 -ra------ C:\Program Files\CddbLangSV.dll

2005-03-10 14:06 102400 -ra------ C:\Program Files\CddbLangTH.dll

2005-03-10 04:02 49152 --a------ C:\Program Files\AxInterop.SHDocVw.dll

2005-03-10 04:02 126976 --a------ C:\Program Files\Interop.SHDocVw.dll

2005-02-28 19:11 53248 --a------ C:\Program Files\Interop.Shell32.dll

2004-11-09 13:07 606 -ra------ C:\Program Files\D2P.exe.manifest

2004-11-09 13:07 118784 -ra------ C:\Program Files\mp3dec.dll

2004-11-09 13:07 0 -ra------ C:\Program Files\D2P.exe.local

2004-08-04 01:56 49152 --a------ C:\Program Files\AxInterop.WMPLib.dll

2004-08-04 01:56 270336 --a------ C:\Program Files\Interop.WMPLib.dll

2004-08-04 00:01 49152 --a------ C:\Program Files\Interop.IWshRuntimeLibrary.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 16:33]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 15:02]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 15:02]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59]

"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-03-04 11:26]

"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50]

"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 11:08]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]

"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-10-11 22:16]

"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 11:40]

"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19]

"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 20:56]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-05 16:10]

"!AVG Anti-Spyware"="C:\Documents and Settings\Michael McClelland\My Documents\Downloaded Program Updates\Virus Killer\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 07:51]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

"Steam"="C:\Program Files\Valve\Steam\\Steam.exe" [2007-06-28 18:51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-11 22:12:08]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]

avgwlntf.dll 2007-08-05 16:10 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

R1 AvgMfx86;AVG Minifilter x86 Resident Driver;C:\WINDOWS\system32\Drivers\avgmfx86.sys

R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys

R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys

R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys

R2 s24trans;WLAN Transport;C:\WINDOWS\system32\DRIVERS\s24trans.sys

R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys

R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

R3 IWCA;Intel Wireless Connection Agent Miniport for Win XP;C:\WINDOWS\system32\DRIVERS\iwca.sys

R3 sdbus;sdbus;C:\WINDOWS\system32\DRIVERS\sdbus.sys

R3 sffdisk;SFF Storage Class Driver;C:\WINDOWS\system32\DRIVERS\sffdisk.sys

R3 sffp_sd;SFF Storage Protocol Driver for SDBus;C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys

S3 CO_Mon;CO_Mon;\??\C:\WINDOWS\system32\Drivers\CO_Mon.sys

S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys

S3 EraserUtilDrv10501;EraserUtilDrv10501;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10501.sys

S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys

S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder

2007-07-19 12:22:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

2007-07-27 19:00:14 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Michael McClelland.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-08-07 19:04:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-08-07 19:09:44 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-08-07 19:09

--- E O F ---

Hijack Log

Logfile of HijackThis v1.99.1

Scan saved at 19:17:02, on 07/08/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Documents and Settings\Michael McClelland\My Documents\Downloaded Program Updates\Virus Killer\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

drunkensoldier
New Member

Date Joined Aug 2007
Total Posts : 6

Posted 9/7/2007 2:07 PM (GMT +3)

Hey, looks like quarantining the trojan has really screwed the pooch. computer only starts on every third or fourth attempt and even then it is slow and unstable.
Is there anything worth trying before I reformat?

Andrei M
Senior Member

Date Joined Jan 2005
Total Posts : 570

Posted 9/8/2007 12:16 AM (GMT +3)

Sorry for the late reply. Before proceeding to a system format as you mention, you might wish to post a new FULL hijackthis log, since the last one only had the running processes and I need the full log to see stuff.

Regards,

Forum Information

Currently it is Wednesday, June 19, 2013 3:46 PM (GMT +3)
There are a total of 59,652 posts in 13,158 threads.
In the last 3 days there were 2 new threads and 8 reply posts. View Active Threads