Author Topic: trojan downloader zlob (Read 4778 times)

dratul · « **on:** March 28, 2008, 11:48:29 AM »

How to remove trojan downloader.zlob?

Deerpark · « **Reply #1 on:** March 28, 2008, 12:12:36 PM »

Go through the steps here and post the requested logs. One of our experts will then be able to help you.

dratul · « **Reply #2 on:** March 29, 2008, 11:47:17 PM »

i have spybot installed in my computer. will it cause conflit with other anti-spyware u have suggested. i am using windows xp with SP2. had problem in downloading Java. i think java has problem with windows. ur suggestion please.

dratul · « **Reply #3 on:** March 30, 2008, 02:27:02 AM »

hijackthis log file

[recovering space - attachment deleted by admin]

dratul · « **Reply #4 on:** March 30, 2008, 07:16:11 AM »

i ran all the programs u have suggested & hope the trojan has been removed. giving the file by drweb.

00189375.FIL;C:\$VAULT$.AVG;Win32.HLLW.Autoruner;Deleted.;
00230625.FIL;C:\$VAULT$.AVG;BackDoor.Generic.694;Deleted.;
00375250.FIL;C:\$VAULT$.AVG;Adware.NewDotNet;;
01255734.FIL;C:\$VAULT$.AVG;Adware.NewDotNet;;
02316250.FIL;C:\$VAULT$.AVG;BackDoor.PcClient;Deleted.;
miditest.htm;C:\Program Files\Anvil Studio\html;Modification of BAT.Mtr.1429;Moved.;
fdcatch.dll;C:\Program Files\FreshDevices\FreshDownload;Trojan.DownLoader.50173;Deleted.;
A0158693.exe;C:\System Volume Information\_restore{0882E8A3-F5B1-409D-8DD6-BA4A252AC8E9}\RP333;Program.ProxyOSS;;
A0158713.dll;C:\System Volume Information\_restore{0882E8A3-F5B1-409D-8DD6-BA4A252AC8E9}\RP333;Trojan.DownLoader.50173;Deleted.;

Broni · « **Reply #5 on:** March 30, 2008, 09:01:24 AM »

You need to post ALL three logs.

Spybot is fine.

dratul · « **Reply #6 on:** March 31, 2008, 05:40:17 AM »

Super antispyware log file.

[recovering space - attachment deleted by admin]

Broni · « **Reply #7 on:** March 31, 2008, 05:44:40 PM »

Other logs, please.

dratul · « **Reply #8 on:** April 01, 2008, 02:10:11 AM »

spybot log file is here, but dont know how to save log file of AVG

[recovering space - attachment deleted by admin]

Broni · « **Reply #9 on:** April 01, 2008, 04:09:46 PM »

You didn't read instructions carefully enough.
I need these three logs:
SuperAntispyware log
Dr. Web CureIt log
Hijackthis log
I got Super log. You need to run Dr. Web, and HJT as the last one.

dratul · « **Reply #10 on:** April 04, 2008, 11:06:50 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:45:29, on 04-04-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6860A44B-5D3E-433D-A7B5-D517F810D0E7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE LG Web Camera driver
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www4.snapfish.co.in/SnapfishOutlookImport.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.in/SnapfishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203595233859
O17 - HKLM\System\CCS\Services\Tcpip\..\{B48675D5-C70E-4296-A662-188070601C1B}: NameServer = 202.56.224.153,202.56.230.6
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: inoperable - {1b40d2ad-d237-4544-b1e1-0bf75bf8fcc0} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 8199 bytes

dratul · « **Reply #11 on:** April 04, 2008, 11:12:15 AM »

DRweb file

modem_common.js;C:\Program Files\Airtel\NetXpert Agent\agentcommon\inc;Probably SCRIPT.Virus;;
sma_common.js;C:\Program Files\Airtel\NetXpert Agent\agentui\snapins\preferences;Probably SCRIPT.Virus;;
sprtsync.dll;C:\Program Files\Airtel\NetXpert Agent\bin;Probably DLOADER.Trojan;;

Broni · « **Reply #12 on:** April 04, 2008, 02:17:34 PM »

Quote

DRweb file

modem_common.js;C:\Program Files\Airtel\NetXpert Agent\agentcommon\inc;Probably SCRIPT.Virus;;
sma_common.js;C:\Program Files\Airtel\NetXpert Agent\agentui\snapins\preferences;Probably SCRIPT.Virus;;
sprtsync.dll;C:\Program Files\Airtel\NetXpert Agent\bin;Probably DLOADER.Trojan;;

I don't want to sound like a pain in the back, but what is the problem with posting a WHOLE log?
Was HJT run AFTER two other programs?

dratul · « **Reply #13 on:** April 05, 2008, 02:25:58 AM »

sorry for troubling u. but drweb logfile is in excel format which cannot be attached here in additional option of reply section..so i selected the content & pasted it here. after running which two progra should i run HJT?

Broni · « **Reply #14 on:** April 05, 2008, 09:16:03 AM »

Quote

drweb logfile is in excel format

It doesn't sound right, but in any case, please, post new HJT log.

Computer Hope Forum

News:

Author Topic: trojan downloader zlob (Read 4778 times)

dratul

trojan downloader zlob

Deerpark

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

Broni

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

Broni

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

Broni

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

Broni

Re: trojan downloader zlob

dratul

Re: trojan downloader zlob

Broni

Re: trojan downloader zlob