Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.zlob And Dropper


  • This topic is locked This topic is locked
4 replies to this topic

#1 beakerr

beakerr

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 28 April 2006 - 01:31 PM

Bit Defender on line scanner said i had Trojan.Zlob.IE , Also Windows live safety center said i had some type of malware (dropper) that it could not delete. I ran all my tools and am coming up clean. Maybe they were false positives? Could someone review my HJT log and give me a prognosis? Give it to me straight I can handle it. Thanks in advance you guys have saved me before! :thumbsup: beakerr






Logfile of HijackThis v1.99.1
Scan saved at 2:07:12 PM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msiexec.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O8 - Extra context menu item: &Search - C:\search\search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/downl...lscbase7617.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128109960296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 01 May 2006 - 07:46 PM

OK, Bit Defender online virus scan is saying I'm still infected. Here is the Bit Defender log. Note especially toward the bottom wheerre it says infected with Trojan Zlob...


BitDefender Online Scanner



Scan report generated at: Mon, May 01, 2006 - 17:54:43





Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;







Statistics

Time
00:29:33

Files
206370

Folders
2912

Boot Sectors
2

Archives
6935

Packed Files
10963




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1




Engines Info

Virus Definitions
372953

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP57\A0010299.exe=>(NSIS o)=>lzma_nsis0007
Infected with: Trojan.Downloader.Zlob.IE

C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP57\A0010299.exe=>(NSIS o)=>lzma_nsis0007
Disinfection failed

C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP57\A0010299.exe=>(NSIS o)=>lzma_nsis0007
Deleted

C:\System Volume Information\_restore{AB52BD40-7182-4E6D-A2D3-98415849E1A9}\RP57\A0010299.exe=>(NSIS o)
Update failed

Edited by beakerr, 01 May 2006 - 07:48 PM.


#3 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 04 May 2006 - 09:47 PM

Hi, beakerr.

You don't appear to have any active infection. The files bitdefender are showing are located in system restore.
Virus scanners can't clean or access files there.

Lets set a new restore point, then delete all the old ones that are infected.

Create a new system restore point by following this path:
start> all programs> accessories> system tools> system restore
Create a system restore point, then close system restore.

Next, click start on the taskbar, then click Run...
Type in cleanmgr, click ok
Click Ok at select the drive then wait for disk cleanup to open
Click the more options tab, under system restore click clean up... answer yes at the prompt
Click the Disc Cleanup tab
Make sure these 3 are checked and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin


Run another scan with bitdefender.
Anything showing up?
Posted Image

#4 beakerr

beakerr
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 05 May 2006 - 07:48 AM

All clean jg thanks for the assistance!

#5 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 05 May 2006 - 08:59 PM

Glad we could help. :thumbsup:

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users