i have the hijackthis log but i don't know which file is corrupted. any help would be nice. thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:14 AM, on 2/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5386 bytes
Heres what files were supposedly cleaned in Ad-Aware 07
Cleaned Infections
===========================
Root: HKU Path: S-1-5-21-796845957-1425521274-839522115-1003\software\microsoft\windows\currentversion\ext \stats\{a95b2816-1d7e-4561-a202-68c0de02353a}, Belonging to Win32.Trojandownloader.Zlob
Root: HKCR Path: clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}, Belonging to Win32.Trojandownloader.Zlob
Root: HKCR Path: clsid\{a95b2816-1d7e-4561-a202-68c0de02353a}, Belonging to Win32.Trojandownloader.Zlob
Root: HKLM Path: software\microsoft\windows\currentversion\explorer \browser helper objects\{a95b2816-1d7e-4561-a202-68c0de02353a}, Belonging to Win32.Trojandownloader.Zlob
File: c:\System Volume Information\tracking.log, Belonging to Win32.Trojandownloader.Zlob
 |
 |
 |
 |
|
|||||||
| [Fixed] Hijackthis! Logs - need help with win32.trojan.downloader.zlob posted in the Security & Safety forums; i have the hijackthis log but i don't know which file is corrupted. any help would be nice. thank you Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:02:14 ... |
|
02-07-2008
|
#1 |
|
Bronze Member
 Join Date: Feb 2008
Posts: 4 PC Experience: PC Illiterate
|
need help with win32.trojan.downloader.zlob
Last edited by watcanbrowndo4u8; 02-07-2008 at 07:07 AM. |
|
|
| Advertisement - Register to Remove | |
|
|
02-07-2008
|
#2 |
|
Tech Member
  
Join Date: Feb 2006
Location: coastal Rhode Island
Posts: 4,633 PC Experience: More Stubborn than any PC
|
Re: need help with win32.trojan.downloader.zlob
Hi Welcome to PCHF--
We have a special forum for HJT logs-- I will move this thread there for faster service. Please be patient until our security team gets to you.
__________________
Friedrich Nietzsche
|
|
|
|
|
02-07-2008
|
#3 |
|
Senior Security Analyst
 
Join Date: Jun 2006
Location: Singapore
Posts: 5,176 PC Experience: PC Guru
|
Re: need help with win32.trojan.downloader.zlob
Hello, and welcome to PCHF.
 Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm |
|
|
|
|
02-07-2008
|
#4 |
|
Bronze Member
Join Date: Feb 2008
Posts: 4 PC Experience: PC Illiterate
|
Re: need help with win32.trojan.downloader.zlob
thanks for your help.. here are the results. i dont know how to read these logs, but not gonna lie they look rough.
SmitFraudFix v2.281 Scan done at 14:11:49.71, Thu 02/07/2008 Run from C:\Documents and Settings\Haj\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\McAfee\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\McAfee\Common Framework\UdaterUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\McAfee\Common Framework\McTray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\AIM6\aim6.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts hosts file corrupted ! 127.0.0.1 www.legal-at-spybot.info 127.0.0.1 legal-at-spybot.info »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Haj »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Haj\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Haj\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Broadcom 440x 10/100 Integrated Controller DNS Server Search Order: 138.87.128.1 DNS Server Search Order: 138.87.132.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{39FC44F6-8AE9-4EC1-84BD-CCE3811C9FBA}: DhcpNameServer=138.87.128.1 138.87.132.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{39FC44F6-8AE9-4EC1-84BD-CCE3811C9FBA}: DhcpNameServer=138.87.128.1 138.87.132.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{39FC44F6-8AE9-4EC1-84BD-CCE3811C9FBA}: DhcpNameServer=138.87.128.1 138.87.132.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=138.87.128.1 138.87.132.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=138.87.128.1 138.87.132.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=138.87.128.1 138.87.132.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End |
|
|
|
|
02-07-2008
|
#5 |
|
Tech Member
Join Date: Feb 2006
Location: coastal Rhode Island
Posts: 4,633 PC Experience: More Stubborn than any PC
|
Re: need help with win32.trojan.downloader.zlob
i
__________________
Friedrich Nietzsche
|
|
|
|
|
02-08-2008
|
#6 |
|
Senior Security Analyst
Join Date: Jun 2006
Location: Singapore
Posts: 5,176 PC Experience: PC Guru
|
Re: need help with win32.trojan.downloader.zlob
Looks like there aren't any infected zlob files left after the Ad-Aware scan.
Hmm... rename hijackthis.exe to blablabla.exe, then run a new scan with it and post the new log here. Let's see how it goes.
|
|
|
|
|
02-08-2008
|
#7 |
|
Bronze Member
Join Date: Feb 2008
Posts: 4 PC Experience: PC Illiterate
|
Re: need help with win32.trojan.downloader.zlob
sorry idk if i did it right. i renamed it in "my programs" and on desktop. Ad-Aware is still scanning this virus. sorry im confused and the comp is acting up more and more as time goes on
|
|
|
|
|
| Bookmarks |
| Tags |
| win32trojandownloaderzlob |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
