Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

How do I remove TrojanZlob


  • Please log in to reply

#1
GCP

GCP

    New Member

  • Member
  • Pip
  • 1 posts
combofix log
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\ProWin06\\32bit\\protax06.exe"=
"c:\\ProWin07\\32bit\\protax07.exe"=
"c:\\ProWin07\\32bit\\ProSeriesUpdate.exe"=
"c:\\ProWin06\\32bit\\ProSeriesUpdate.exe"=
"c:\\CFSLib\\Ny2007\\Ny2007.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1102789109\\EE\\aolsoftware.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-12 78416]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-04-12 20560]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-28 24652]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R4 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-02-12 598856]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [2004-11-08 72704]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2008-02-17 742216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SWPRV
*NewlyCreated* - VSS

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVGFRE~1\avgw.exe
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-Antivirus - c:\program files\SAV\sav.exe
MSConfigStartUp-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
MSConfigStartUp-AVG7_Run - c:\progra~1\Grisoft\AVGFRE~1\avgw.exe
MSConfigStartUp-BullsEye Network - c:\program files\BullsEye Network\bin\bargains.exe
MSConfigStartUp-f8c5e796 - c:\windows\system32\sdihceph.dll
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-LogitechCommunicationsManager - c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe
MSConfigStartUp-LogitechQuickCamRibbon - c:\program files\Logitech\QuickCam10\QuickCam10.exe
MSConfigStartUp-LVCOMSX - c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
MSConfigStartUp-MSFox - c:\docume~1\USER\LOCALS~1\Temp\video1098.cfg.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-NvMediaCenter - c:\windows\System32\NvMcTray.dll
MSConfigStartUp-PCMMRealtime - c:\program files\PC MightyMax\pcmm.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-WebRebates0 - c:\program files\Web_Rebates\WebRebates0.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl
MSConfigStartUp-PCTVOICE - pctspk.exe
MSConfigStartUp-PV92TRAY - PV92Tray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yie6/*http://www.yahoo.com/search/ie.html
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xport to Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.proseries.com
Trusted Zone: *.proseriesupdate.com
Trusted Zone: *.turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\RSFormsTV.dll - O16 -: {009F119F-8723-11D3-8791-00A0C9EF9624}
hxxps://eformrs.com/FormOpen/RSFormsTV.cab
c:\windows\Downloaded Program Files\default.inf

c:\windows\Downloaded Program Files\stg_drm.ocx - O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9}
file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx

c:\windows\system32\RSFCalc.dll - O16 -: {187728C3-71FD-11D3-878E-00A0C9EF9624}
hxxps://eformrs.com/FormOpen/Dll/RSFCalc.cab
c:\windows\Downloaded Program Files\default.inf

c:\windows\Downloaded Program Files\CLRMachineInfo.dll - O16 -: {227F25BE-BCDC-11D0-BA80-0000F6181652}
hxxps://eformrs.com/RSLoginModule.cab
c:\windows\Downloaded Program Files\default.inf

c:\windows\system32\RSFormsDP.dll - O16 -: {99140A4E-88C5-11D3-8793-00A0C9EF9624}
hxxps://eformrs.com/FormOpen/RSFormsDP.cab
c:\windows\Downloaded Program Files\default.inf

c:\windows\Downloaded Program Files\armhelper.ocx - O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
FF - ProfilePath - c:\documents and settings\USER\Application Data\Mozilla\Firefox\Profiles\3qyhqc6z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ovguide.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 20:09:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProTaskScheduler = c:\prowin07\32bit\tasksch.exe?A?;????????????????#?x????P???????5??x????????<????????n+H????P????}+H????k???????4??????xl??? [email protected]?????l???l???X?????C??????kA?????????????l???g????????%[email protected]?(?C??q9?.???!????q9?(?C??q9??????????q9?(?C
TaskScheduler = c:\prowin08\32bit\TaskSch.exe????????????????????#?x????P???????5??x????????<???????p??J????P??????J????l???????4??????xm??? ????u%[email protected]??u%4l???l???X?????C??????kA??????u%4????l????q%4?????$[email protected]?(?C?Rn9?&???!???Pn9?(?C??p9??????????p9?(?C

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-01-11 20:13:17
ComboFix-quarantined-files.txt 2009-01-12 01:12:00
ComboFix2.txt 2008-02-17 18:49:59

Pre-Run: 17,680,478,208 bytes free
Post-Run: 17,677,287,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

967 --- E O F --- 2009-01-11 14:46:43
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP