Thanks Deerpark... upon using Superantispyware the Zlob virus reared again... I've quarantined and deleted it by Symantec but it keeps appearing. Is AVG a better prog? The Symantec alert is the first post below, then super anti spy log and hijack this. Dr Web CureIt found absolutely nothing in either scan. A few darkhorses in both that I'd like to deal with but I'll wait to hear from you or your Malware team before I proceed.
Questions... should I bother with Spybot and SpywareBlaster now? They were both great programs but does SuperAntispyware supercede?
Should I discard Symantec for AVG or another? If Symantec can't detect Zlob in a full scan, surely there's a shortcoming there?
I thank you for your time as always, and look forward to your ideas!
Symantec alert:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.Zlob!gen.2
File: C:\System Volume Information\_restore{0E7E6A2F-4669-42DC-AE2F-DEF594E59145}\RP31\A0007086.dll
Location: Quarantine
Computer:
User:
Action taken: Quarantine succeeded : Access denied
Date found: Saturday, 12 April 2008 7:13:00 PM
Super Anti Spy log:SUPERAntiSpyware Scan Log
http://www.superantispyware.comGenerated 04/12/2008 at 07:54 PM
Application Version : 4.0.1154
Core Rules Database Version : 3437
Trace Rules Database Version: 1429
Scan type : Complete Scan
Total Scan Time : 00:22:47
Memory items scanned : 406
Memory threats detected : 1
Registry items scanned : 4359
Registry threats detected : 31
File items scanned : 31474
File threats detected : 12
Trojan.Downloader-Oreon-A/Resident
C:\WINDOWS\RESOURCES\DRIVEKERNEL.DLL
C:\WINDOWS\RESOURCES\DRIVEKERNEL.DLL
Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\InprocServer32
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\InprocServer32#ThreadingModel
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\ProgID
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\Programmable
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\TypeLib
HKCR\CLSID\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}\VersionIndependentProgID
C:\WINDOWS\TEMLXOPQBFE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A04FEAC5-E67D-4CDC-A767-A54CD429BBBC}
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\InprocServer32
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\InprocServer32#ThreadingModel
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\ProgID
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\Programmable
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\TypeLib
HKCR\CLSID\{CDC026C8-91A1-410F-B59D-7C2582A81271}\VersionIndependentProgID
C:\WINDOWS\VNBPTXLF.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CDC026C8-91A1-410F-B59D-7C2582A81271}
HKCR\vnbptxlf.1
HKCR\vnbptxlf
HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}
HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0
HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\0
HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\0\win32
HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\FLAGS
HKCR\TypeLib\{AFFB5711-58CC-4A99-88DD-DC49D22F7B41}\1.0\HELPDIR
Adware.Tracking Cookie
C:\Documents and Settings\Chad\Cookies\
[email protected][2].txt
C:\Documents and Settings\Chad\Cookies\
[email protected][1].txt
C:\Documents and Settings\Chad\Cookies\chad@1067710504[1].txt
C:\Documents and Settings\Chad\Cookies\
[email protected][1].txt
C:\Documents and Settings\Chad\Cookies\
[email protected][2].txt
C:\Documents and Settings\Chad\Cookies\
[email protected][1].txt
C:\Documents and Settings\Chad\Cookies\
[email protected][1].txt
Trojan.Net-MSV/VPS
HKCR\MSVPS.MSVPSApp
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer
BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE
Trojan.Unclassified/Multi-Dropper (Packed)
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0E7E6A2F-4669-42DC-AE2F-DEF594E59145}\RP31\A0007087.EXE
Finally, HijackThis log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:02 PM, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://employment.byron.com.au/jobs.html?source=GoogleAdWordsSearchR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cjb.net:8118
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Kremlin Sentry.lnk = C:\Program Files\Mach5 Software\Kremlin\Kremlin Sentry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: DriveKernel - {0c5d28af-8215-4417-a770-100821472089} - C:\WINDOWS\Resources\DriveKernel.dll (file missing)
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe