Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan downloader .Zlob_r.DS

  • Please log in to reply
4 replies to this topic

#1 chuckeej


  • Members
  • 16 posts
  • Local time:11:22 PM

Posted 27 March 2009 - 02:20 PM

I have just discovered that AVG8.0 Resident Shield History lists the above trojan - since 11/2008. It was not moved to the virus vault. Therefore I am not sure if it is still active in my pc. I am attaching dds.txt and attach.txt. Many thanks for all the help here.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 15:03:04.45 on Fri 03/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.99 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Common Files\AOL\1179320378\ee\aolsoftware.exe
c:\program files\common files\aol\1179320378\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1179320378\ee\aolsoftware.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = aol.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.1121.2472\swg.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bleepingcomputer.com
Trusted Zone: computerhope.com
Trusted Zone: cybertechhelp.com
Trusted Zone: daniweb.com
Trusted Zone: majorgeeks.com
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: ncl.com
Trusted Zone: ntp-systems.com
Trusted Zone: samsung.com
Trusted Zone: snapfish.com
Trusted Zone: techguy.org\forums
Trusted Zone: techsupportguy.forums
Trusted Zone: tek-tips.com
Trusted Zone: tweaktown.com
Trusted Zone: wilderssecurity.com
Trusted Zone: windowsupdate.com\*.download
Trusted Zone: yahoo.com
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
TCP: {CA81EEE4-7AE0-4863-9041-83C6652952D8} =
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-4-26 3968]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-25 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-25 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-25 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-5-1 353680]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-25 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-25 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-2-22 22752]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-25 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-25 22:14 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-25 22:14 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-03-25 22:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-13 14:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-03-13 14:24 <DIR> --d----- c:\program files\Security Task Manager

==================== Find3M ====================

2009-02-05 21:49 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-05 21:49 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-05 21:49 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-25 22:41 4,212 a---h--- c:\windows\system32\zllictbl.dat

============= FINISH: 15:03:52.28 ===============

Attached Files

BC AdBot (Login to Remove)


#2 chuckeej

  • Topic Starter

  • Members
  • 16 posts
  • Local time:11:22 PM

Posted 27 March 2009 - 02:26 PM

:thumbup2: I am not sure if the entire attach.txt was transmitted. During the Upload process it got hung up about mid-way...but Iwent ahead and submitted the post anyway. Here is what was showing:

Upload successful and is available from the 'Manage Current Attachments' menu
Attachment space used 20.95K of 512K
Maximum single upload size: 491.05K

Any problems with the attach.txt sumbitted? Thanks.

#3 Grinler


    Lawrence Abrams

  • Admin
  • 43,462 posts
  • Gender:Male
  • Location:USA
  • Local time:11:22 PM

Posted 29 March 2009 - 08:52 AM

Your log looks clean. Where is AVG seeing this infection?

#4 chuckeej

  • Topic Starter

  • Members
  • 16 posts
  • Local time:11:22 PM

Posted 29 March 2009 - 11:32 PM

Your log looks clean. Where is AVG seeing this infection?

Grinler: :thumbup2: Many thanks for checking my Log. I'm glad that it shows clean...was a bit worried the trojan was still lurking. I just now went back to check the AVG Resident Shield history, and note that this Trojan result shows "deleted" although it is still listed. Does AVG delete Trojans and viruses automatically after a while? or do we have to manually delete them ourselves? Thanks and cheers!

#5 Grinler


    Lawrence Abrams

  • Admin
  • 43,462 posts
  • Gender:Male
  • Location:USA
  • Local time:11:22 PM

Posted 30 March 2009 - 10:27 AM

I honestly do not know. I am not familiar with AVG. I do not, though, see anything in your logs so if you feel comfortable with that, I will post my all-clean speech and then close the topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users