Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Zlob.trojan / Zlob.videoaccess registry stuff(Possiblly more)

  • This topic is locked This topic is locked
5 replies to this topic

#1 Mikester207


  • Members
  • 3 posts
  • Local time:01:04 PM

Posted 31 May 2009 - 05:23 PM

Well for no real reason a few days ago i was assaulted by a large amout of viruse,s and while my Trend Micro antivirus plus antispyware and Webroot SpySweeper caught a a few i was still infected, and i am dealing with it. I first used Spy sweeper, and found that there was "Worm-koobface", "trojan-backdoor-progdav" and as well as some adware stuff. Unfortunately i my subscription ran out a couple weeks prior, so while i found them i could not do anything about it. I did take matters into my own hands and after trying a few thing i was finally able to find and get rid of Koobface and a few other stuff using malwarebtyes antimalware. also within a day of infection let it be note that i could not use my computer normaly for lag reasons, and it was until used malwarebtyes in safe mode that i was finaly able to use my computer outside of safe mode. Now both Trend micro AV + ASW and webroot spysweep doesn't find anything SpyHunter does. SpyHunter reveals all the registry stuff to about 200+ sites(Also let it be known that SpyHunter found Koobface as well but after using Malwarebtyes koobface didn't come up(good sign)), but it still comes up in Webroot. I also have no idea if Progdav is still on my comp. I've also found the process for the Zlob "msmgs.exe" i believe, and i have been able to stop it, but it shows up after a restart. I've tried to manually delete the registry entries but just to find it unchanged. This is about it, i like to think that my computer is free of Koobface but i have no way to tell becides it not showing up in SpyHunter. Another thing is that IE was set to proxy settings when i never changed them, and it caused problems, I've changed it back and everything was fine afterwards. This the the acumulated data i have on my attempts to cleaning my computer and after days of work i looking to you guys please help.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Michael at 17:53:03.70 on Sun 05/31/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1133 [GMT -4:00]

AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Joseph\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /SYNC
mRun: [PHIME2002A] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /IMEName
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [SynTPStart] "c:\program files\synaptics\syntp\SynTPStart.exe"
mRun: [QlbCtrl.exe] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [KernelFaultCheck] "c:\windows\system32\dumprep.exe" 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LVCOMSX] "c:\windows\system32\LVCOMSX.EXE"
mRun: [LogitechVideoTray] "c:\program files\logitech\video\LogiTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SpyHunter Security Suite] "c:\program files\enigma software group\spyhunter\SpyHunter3.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228943682390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\joseph\applic~1\mozilla\firefox\profiles\kpvzt7cf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.theninja-rpg.com/
FF - plugin: c:\documents and settings\joseph\desktop\install stuff\scenecaster\version 3.11.33\NPSceneCaster.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-5-24 50192]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-5-24 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-5-24 677128]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-2-11 1181040]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\mabinogi\gameguard\dump_wmimmc.sys --> c:\nexon\mabinogi\gameguard\dump_wmimmc.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-30 40160]

=============== Created Last 30 ================

2009-05-30 23:40 <DIR> --d----- c:\docume~1\joseph\applic~1\Malwarebytes
2009-05-30 21:51 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 21:51 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-30 21:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 21:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-28 13:53 <DIR> --d----- c:\windows\system32\drivers\avgldx64.sys
2009-05-27 23:17 <DIR> --d----- c:\program files\AVG
2009-05-27 22:14 <DIR> --d----- c:\docume~1\joseph\applic~1\GetRightToGo
2009-05-27 21:32 <DIR> --d----- c:\program files\Enigma Software Group
2009-05-27 15:55 727 a------- c:\windows\wininit.ini
2009-05-27 15:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-27 14:59 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-27 13:18 2 ----h--- c:\windows\sonce122730.dat
2009-05-26 22:03 952 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-05-26 22:03 88 ---shr-- c:\docume~1\alluse~1\applic~1\F05939FCF6.sys
2009-05-26 13:18 <DIR> --d----- c:\program files\Enterbrain
2009-05-26 13:16 <DIR> --d----- c:\program files\common files\Enterbrain
2009-05-24 15:51 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-24 15:51 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-05-24 15:51 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-05-24 15:45 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-05-24 15:43 661,808 a------- c:\windows\system32\UfWSC.cpl
2009-05-24 15:42 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-05-24 15:42 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-05-24 15:42 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-05-24 15:42 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 15:13 <DIR> --d----- c:\program files\iPod
2009-05-22 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-22 15:13 <DIR> --d----- c:\program files\iTunes
2009-05-22 15:09 <DIR> --d----- c:\program files\Bonjour
2009-05-22 15:02 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-05-19 10:07 164 a------- c:\windows\install.dat
2009-05-13 00:33 4,096 a------- c:\windows\system32\crash
2009-05-12 12:53 <DIR> --d----- c:\program files\Scratch
2009-05-03 18:06 <DIR> --d----- c:\docume~1\joseph\applic~1\MobMapUpdater

==================== Find3M ====================

2009-05-10 13:22 77,565 a------- c:\windows\War3Unin.dat
2009-04-06 13:32 1,563,008 a------- c:\windows\WRSetup.dll
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-22 11:53 23 a------- c:\documents and settings\joseph\jagex_runescape_preferences.dat

============= FINISH: 17:55:00.78 ===============

Attached Files

Edited by Mikester207, 31 May 2009 - 05:25 PM.

BC AdBot (Login to Remove)



#2 maranatha


    Whats That !

  • Malware Response Team
  • 1,229 posts
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:04 AM

Posted 12 June 2009 - 12:48 AM

Hi Mikester207
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now this.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.
  • The program will launch and then begin downloading the latest definition files:
  • Under Scan on the left side.Click on My Computer
  • This will start the program and scan your system.
  • Click the “Scan Report” On the left side.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
  • Save the text file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky results.


Windows7 Professional 64 Bit


I'm going in the wrong direction to be in a hurry!


My help is always free, But I do accept donations.
Donate Here

#3 Mikester207

  • Topic Starter

  • Members
  • 3 posts
  • Local time:01:04 PM

Posted 13 June 2009 - 10:25 PM

I have in fact tried t use that but unable too because of internet explorer reasons i believe, most other scans said to do the scan in IE and recently i have been unable to use it(time out issues). MFF still works fine though which is the weird part.

#4 maranatha


    Whats That !

  • Malware Response Team
  • 1,229 posts
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:04 AM

Posted 14 June 2009 - 10:16 AM


OK I'll be back with you shortly.


Windows7 Professional 64 Bit


I'm going in the wrong direction to be in a hurry!


My help is always free, But I do accept donations.
Donate Here

#5 maranatha


    Whats That !

  • Malware Response Team
  • 1,229 posts
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:04 AM

Posted 15 June 2009 - 06:37 AM

Hi Mikester207

Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.


Windows7 Professional 64 Bit


I'm going in the wrong direction to be in a hurry!


My help is always free, But I do accept donations.
Donate Here

#6 Shaba



  • Members
  • 7,872 posts
  • Gender:Male
  • Location:Finland
  • Local time:07:04 PM

Posted 06 July 2009 - 12:17 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users