Computer Hope

Software => Computer viruses and spyware => Topic started by: tnort31 on September 18, 2008, 11:46:21 PM

Title: Zlob virus?
Post by: tnort31 on September 18, 2008, 11:46:21 PM

A couple hours ago I came across a website that looked like a phishing/highjacking site and I thought that if I just hit the back button on my browser I could get away from it. Now I realize I should've gone with alt + f4 because I think I got caught by the zlob. My desktop is blue, and computer speed is extremely slow. I found my way to the "Read this before requesting malware removal help" thread and have been going along smoothly. I am stuck now, I cannot download the Super Anti Spyware. When I click on the link in the post it leads me to an error (cannot connect) page. When I search for anything related to virus or spyware using yahoo or google I get redirected to ad pages. What do I do now?

Title: Re: Zlob virus?
Post by: Carbon Dudeoxide on September 19, 2008, 03:19:44 AM

Can you post any logs? (preferably a HijackThis)

What about in Safe Mode With Networking?

Title: Re: Zlob virus?
Post by: tnort31 on September 19, 2008, 08:36:43 AM

I managed to download HijackThis, MBAM, and SuperAntiSpyware. I completed the steps pertaining to HijackThis and MBAM. I cannot install SAS, an error message comes up saying "system administrator does not allow this installation"... or something like that. So here are the HijackThis and MBAM logs.

[recovering disk space -- attachment deleted by admin]

Title: Re: Zlob virus?
Post by: evilfantasy on September 19, 2008, 12:00:00 PM

Can you get a HijackThis log from Normal boot mode?

Title: Re: Zlob virus?
Post by: tnort31 on September 19, 2008, 12:23:27 PM

Yep, here is the HijackThis from normal mode.

[recovering disk space -- attachment deleted by admin]

Title: Re: Zlob virus?
Post by: evilfantasy on September 19, 2008, 12:30:44 PM

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
- O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
- O8 - Extra context menu item: &Search - ?p=ZCfox000
- O9 - Extra button: (no name) - {B48798CE-A2E0-4918-BC00-0F72FBA708E2} - (no file) (HKCU)
- O9 - Extra button: (no name) - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (file missing) (HKCU)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis, run CCleaner and restart the computer to register the changes made by HijackThis.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Title: Re: Zlob virus?
Post by: tnort31 on September 19, 2008, 01:42:06 PM

Done, thanks.

Here are the logs.

[recovering disk space -- attachment deleted by admin]

Title: Re: Zlob virus?
Post by: evilfantasy on September 19, 2008, 01:48:26 PM

Download SDFix (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double click SDFix.exe and it will extract the files to %systemdrive%
  
• (this is the drive that contains the Windows Directory, typically C:\SDFix).
  
• DO NOT use it just yet.

Reboot your computer in Safe Mode (http://www.bleepingcomputer.com/tutorials/tutorial61.html) using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
  
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  
• Copy and paste the contents of the results file Report.txt in your next reply[/b].

Title: Re: Zlob virus?
Post by: tnort31 on September 19, 2008, 02:55:31 PM

While the SDFix was running a message kept popping up saying the Symantec dll application failed... I clicked close but it kept popping up, then I clicked Ignore and it finally started scanning. If that was referring to Symantec security I deleted that several months ago and now use another security program.

Here is the Report.txt log:


SDFix: Version 1.226
Run by HP_Administrator on Fri 09/19/2008 at 04:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 16:28:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"

Remaining Files :



Files with Hidden Attributes :


Finished!

Title: Re: Zlob virus?
Post by: evilfantasy on September 19, 2008, 03:08:47 PM

Download the Norton Removal Tool (SymNRT) (http://fileforum.betanews.com/detail/Norton_Removal_Tool_for_Windows_2000XPVista/1169144666/1) to your Desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

• Go to your desktop and double click on the removal tool and then click Setup.
  
• Once open Click Next
  
• Accept the license agreement and click Next
  
• Type in the letters/numbers that you see into the text box then click Next.
  
• Then click Next and the tool will start running.
  
• Once finished restart the PC and run the tool again to ensure everything has been removed.

.
----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
TDSSSERV
TDSSserv
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

Title: Re: Zlob virus?
Post by: tnort31 on September 19, 2008, 04:19:03 PM

Good, that Symantec error didn't pop up this time. Here is the log.



ComboFix 08-09-19.04 - HP_Administrator 2008-09-19 17:51:44.2 - NTFSx86
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2008-08-19 to 2008-09-19  )))))))))))))))))))))))))))))))
.

2008-09-19 17:33 . 2008-09-19 17:33   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\NortonInstaller
2008-09-19 16:18 . 2008-09-19 16:18   <DIR>   d--------   C:\WINDOWS\ERUNT
2008-09-19 15:52 . 2008-09-19 16:40   <DIR>   d--------   C:\SDFix
2008-09-19 10:28 . 2008-09-19 10:30   <DIR>   d--------   C:\Program Files\Trend Micro
2008-09-19 10:10 . 2008-09-19 10:10   <DIR>   d--------   C:\Program Files\Malwarebytes Anti-Malware
2008-09-19 10:10 . 2008-09-19 10:10   <DIR>   d--------   C:\Documents and Settings\HP_Administrator\Application Data\Malwarebytes
2008-09-19 10:10 . 2008-09-19 10:10   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-19 10:10 . 2008-09-10 00:04   38,528   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-19 10:10 . 2008-09-10 00:03   17,200   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-09-19 09:57 . 2008-09-19 09:57   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-09-19 01:32 . 2008-09-19 01:32   <DIR>   d--------   C:\Program Files\CCleaner
2008-09-19 01:28 . 2008-09-19 16:46   <DIR>   d--------   C:\WINDOWS\system32\CatRoot_bak
2008-09-18 23:27 . 2008-09-18 23:27   <DIR>   d--hs----   C:\WINDOWS\ftpcache
2008-09-18 23:27 . 2008-09-18 23:27   917,504   --a------   C:\WINDOWS\system32\FLASH.OCX
2008-09-18 19:37 . 2008-09-18 21:07   <DIR>   d--------   C:\WINDOWS\system32\config\systemprofile\Application Data\AVGTOOLBAR

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 22:01   ---------   d-----w   C:\Program Files\lx_cats
2008-09-19 19:04   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-19 04:38   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\avg8
2008-09-19 00:18   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-09-13 17:54   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\NCH Swift Sound
2008-08-31 18:11   97,928   ----a-w   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-28 01:25   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2008-08-17 02:43   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-08-15 22:40   ---------   d-----w   C:\Program Files\Common Files\xing shared
2008-08-15 22:39   ---------   d-----w   C:\Program Files\Common Files\Real
2008-08-15 21:17   ---------   d-----w   C:\Program Files\LimeWire
2008-08-13 02:08   ---------   d-----w   C:\Program Files\Microsoft Silverlight
2008-08-08 02:48   ---------   d-----w   C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-08-04 16:04   ---------   d-----w   C:\Program Files\Lexmark Toolbar
2008-08-04 16:04   ---------   d-----w   C:\Program Files\Lexmark 2400 Series
2008-07-29 19:46   ---------   d-----w   C:\Program Files\QuickTime
2008-07-28 22:43   ---------   d-----w   C:\Program Files\Reference Assemblies
2008-07-28 22:43   ---------   d-----w   C:\Program Files\MSBuild
2008-07-23 03:53   26,926   ----a-w   C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-12-13 21:07   21,321,008   -c--a-w   C:\Program Files\QuickTimeInstaller.exe
2007-09-20 21:39   31   -c--a-w   C:\Documents and Settings\HP_Administrator\b289484.dll
2007-09-20 21:39   30   -c--a-w   C:\Documents and Settings\HP_Administrator\p289484.dll
2007-07-04 01:54   785,160   -c--a-w   C:\Program Files\WindowsMediaPlayer10.exe
2007-04-26 00:17   0   -c-h--w   C:\Program Files\AppUpdate.log
2007-04-04 23:56   6,372   -c--a-w   C:\Program Files\Uninst.isu
2006-04-22 22:43   774,144   -c--a-w   C:\Program Files\RngInterstitial.dll
2005-12-29 22:58   251   -c--a-w   C:\Program Files\wt3d.ini
2001-11-08 05:49   405,504   -c--a-w   C:\Program Files\SStylerProDemo.exe
2001-11-08 03:04   163,840   -c--a-w   C:\Program Files\AdvCtrl.dll
2001-11-08 03:02   40,960   -c--a-w   C:\Program Files\AdvDlg.dll
2001-11-08 02:58   135,168   -c--a-w   C:\Program Files\CDib24.dll
2001-10-02 06:01   51   ----a-w   C:\Program Files\Mail.url
2001-10-02 06:01   50   ----a-w   C:\Program Files\Web.url
2001-10-01 18:14   3,858   -c--a-w   C:\Program Files\read.me
2001-10-01 17:32   2,019   -c--a-w   C:\Program Files\license.txt
.

(((((((((((((((((((((((((((((   snapshot@2008-09-19_15.29.30.37   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-09-19 20:18:25   6,823,936   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-09-19 20:18:25   1,392,640   ----a-w   C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-08-07 20:27:04   163,328   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-09-19 20:18:23   6,823,936   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2008-09-19 20:18:23   1,392,640   ----a-w   C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2005-05-10 253952]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 49152]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"tgcmd"="C:\Program Files\Support.com\BellSouth\hcenter.exe" [2005-08-31 1277952]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-31 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 98304]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-08-15 185896]
"SMSERIAL"="sm56hlpr.exe" [2005-01-24 C:\WINDOWS\sm56hlpr.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-10 12672]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2008-02-21 19712]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [ ]
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2008-02-21 18304]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-09-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 17:59:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-09-19 18:11:27 - machine was rebooted
ComboFix-quarantined-files.txt  2008-09-19 22:11:09
ComboFix2.txt  2008-09-19 19:29:55

Pre-Run: 176,555,810,816 bytes free
Post-Run: 176,572,583,936 bytes free

183   --- E O F ---   2008-09-19 13:44:40

Title: Re: Zlob virus?
Post by: evilfantasy on September 19, 2008, 04:27:21 PM

Looks good. Let's do some cleanup and then a final scan.

Next:

Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files
When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start > Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:

• Temporary Files
  
• Temporary Internet Files
  
• RecycleBin

Agree to the prompt to perform the action...


Next:

Download  ATF Cleaner by Atribune (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) and save it to your Desktop
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

• Windows Temp
  
• Current User Temp
  
• All Users Temp
  
• Temporary Internet Files
  
• Java Cache

The rest are optional - if you want to remove everything, check Select All
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.

----------

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

(http://i154.photobucket.com/albums/s258/evilfantasy69/combofixu-1.jpg)

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Download OTCleanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Disable the System Restore Utility to prevent re-infection from an old one

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Run this online scan. Requires Internet Explorer

Use the  ESET Nod32 Online Scanner (http://www.eset.com/onlinescan/index.php)

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply [/list]

Title: Re: Zlob virus?
Post by: tnort31 on September 19, 2008, 07:10:36 PM

Log from ESET scan.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3457 (20080919)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=8628e1e1d8e68c44970de2b49ab03713
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-20 01:00:11
# local_time=2008-09-19 09:00:11 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=629565
# found=1
# scan_time=4428
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll   Win32/Toolbar.MyWebSearch application (unable to clean - deleted)   00000000000000000000000000000000

Title: Re: Zlob virus?
Post by: evilfantasy on September 19, 2008, 07:14:26 PM

Looks fine.

Is everything running OK now?

Use the  Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 (http://www.spreadfirefox.com/node&id=224248&t=324) with Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/1865) and NoScript (http://noscript.net/)

To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
*  Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

I suggest using SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

 SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
*  (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)

Check out  Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.

Also see  Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.

Title: Re: Zlob virus?
Post by: tnort31 on September 19, 2008, 08:41:38 PM

Yep, everything is running great again. Thank you so much! I'm going to try those tips you gave me as well. Thanks again!