Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.trojandownoader.zlob


  • Please log in to reply
2 replies to this topic

#1 timsbleung

timsbleung

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 01 December 2006 - 01:27 AM

ok so i have the ad-aware SE
i did a scan and found i had a trojan called win32.trojandownloader.zlob, as well as others

i think thats whats getting me all these fake anti virus stuff
how do i get rid of it

heres the hijack log (have fun reading :thumbsup: )

Ad-Aware SE Build 1.06r1
Logfile Created on:2006年12月1日 下午 01:54:35
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R135 27.11.2006
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?

References detected during the scan:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Adware.MyToolbar(TAC index:3):6 total references
Adware.SafetyBar(TAC index:3):2 total references
Tracking Cookie(TAC index:3):19 total references
Win32.Trojandownloader.Zlob(TAC index:10):2 total references
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2006-12-1 下午 01:54:35 - Scan started. (Full System Scan)

Listing running processes
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 412
ThreadCreationTime : 2006-11-30 上午 08:50:37
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 2006-11-30 上午 08:50:41
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 736
ThreadCreationTime : 2006-11-30 上午 08:50:44
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 792
ThreadCreationTime : 2006-11-30 上午 08:50:47
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 804
ThreadCreationTime : 2006-11-30 上午 08:50:48
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 996
ThreadCreationTime : 2006-11-30 上午 08:50:52
BasePriority : Normal
FileVersion : 6.14.10.4132
ProductVersion : 6.14.10.4132
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright c 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1020
ThreadCreationTime : 2006-11-30 上午 08:50:52
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1116
ThreadCreationTime : 2006-11-30 上午 08:50:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1216
ThreadCreationTime : 2006-11-30 上午 08:50:54
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1296
ThreadCreationTime : 2006-11-30 上午 08:50:54
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1480
ThreadCreationTime : 2006-11-30 上午 08:50:55
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1588
ThreadCreationTime : 2006-11-30 上午 08:50:57
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1700
ThreadCreationTime : 2006-11-30 上午 08:50:59
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 1868
ThreadCreationTime : 2006-11-30 上午 08:51:07
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:15 [msasvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1968
ThreadCreationTime : 2006-11-30 上午 08:51:09
BasePriority : Normal


#:16 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 464
ThreadCreationTime : 2006-11-30 上午 08:51:13
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:17 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 708
ThreadCreationTime : 2006-11-30 上午 08:51:16
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:18 [msgplus.exe]
FilePath : C:\Program Files\MessengerPlus! 3\
ProcessID : 204
ThreadCreationTime : 2006-11-30 上午 08:51:37
BasePriority : Normal


#:19 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2384
ThreadCreationTime : 2006-11-30 上午 08:51:45
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2452
ThreadCreationTime : 2006-11-30 上午 08:51:46
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:21 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2600
ThreadCreationTime : 2006-11-30 上午 08:51:50
BasePriority : Normal
FileVersion : 7.0.2.16
ProductVersion : 7.0.2.16
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : c 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:22 [wincinemamgr.exe]
FilePath : C:\Program Files\InterVideo\Common\Bin\
ProcessID : 2964
ThreadCreationTime : 2006-11-30 上午 08:51:57
BasePriority : Normal
FileVersion : 1.0
ProductVersion : 1, 0, 0, 1
ProductName : WinCinema Manager for InterVideo WinCinema products
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
LegalCopyright : Copyright © 2000 InterVideo Inc.
OriginalFilename : WinCinemaMgr.EXE

#:23 [easyshare.exe]
FilePath : C:\Program Files\Kodak\Kodak EasyShare software\bin\
ProcessID : 2988
ThreadCreationTime : 2006-11-30 上午 08:51:57
BasePriority : Normal
FileVersion : 5, 0, 25, 230
ProductVersion : 4, 1, 2, 30
ProductName : KODAK EasyShare Software
FileDescription : KODAK EasyShare Software
InternalName : EasyShare
LegalCopyright : c Eastman Kodak Company, 2002-2005. All Rights Reserved.
OriginalFilename : EasyShare.exe

#:24 [msiexec.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3260
ThreadCreationTime : 2006-11-30 上午 08:52:06
BasePriority : Normal


#:25 [googletoolbarnotifier.exe]
FilePath : C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\
ProcessID : 3752
ThreadCreationTime : 2006-11-30 上午 08:52:20
BasePriority : Normal
FileVersion : 1, 2, 908, 5008
ProductVersion : 1, 2, 908, 5008
ProductName : GoogleToolbarNotifier
CompanyName : Google Inc.
FileDescription : GoogleToolbarNotifier
LegalCopyright : Copyright c 2005-2006
OriginalFilename : GoogleToolbarNotifier.exe

#:26 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2640
ThreadCreationTime : 2006-11-30 上午 08:57:47
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:27 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 2188
ThreadCreationTime : 2006-11-30 上午 09:22:56
BasePriority : Normal
FileVersion : 7.5.0311
ProductVersion : 7.5.0311
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:28 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 4048
ThreadCreationTime : 2006-11-30 上午 09:31:45
BasePriority : Normal


#:29 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 3696
ThreadCreationTime : 2006-11-30 上午 09:31:46
BasePriority : High


#:30 [kodak software updater.exe]
FilePath : C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\
ProcessID : 564
ThreadCreationTime : 2006-11-30 上午 09:31:53
BasePriority : Normal


#:31 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 940
ThreadCreationTime : 2006-11-30 上午 09:31:57
BasePriority : Normal
FileVersion : 6.14.10.4132
ProductVersion : 6.14.10.4132
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright c 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:32 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 168
ThreadCreationTime : 2006-11-30 上午 09:31:57
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:33 [hpwuschd.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ProcessID : 1928
ThreadCreationTime : 2006-11-30 上午 09:32:01
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : Hewlett-Packard hpwuSchd
CompanyName : Hewlett-Packard
FileDescription : hpwuSchd
InternalName : hpwuSchd
LegalCopyright : Copyright c 2003
OriginalFilename : hpwuSchd.exe

#:34 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ProcessID : 680
ThreadCreationTime : 2006-11-30 上午 09:32:01
BasePriority : Normal
FileVersion : 2.1.1.0
ProductVersion : 2.1.4
ProductName : hp coretech (COmponent REuse TECHnology)
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
LegalCopyright : Copyright © Hewlett-Packard. 2002-2003
OriginalFilename : HpCmpMgr.exe

#:35 [fahid.exe]
FilePath : C:\GPQ\
ProcessID : 276
ThreadCreationTime : 2006-11-30 上午 09:32:01
BasePriority : Normal


#:36 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_01\bin\
ProcessID : 2436
ThreadCreationTime : 2006-11-30 上午 09:32:01
BasePriority : Normal


#:37 [picasamediadetector.exe]
FilePath : C:\Program Files\Picasa2\
ProcessID : 2208
ThreadCreationTime : 2006-11-30 上午 09:32:01
BasePriority : Normal
FileVersion : 2.1.0
ProductVersion : 2.1.0
ProductName : Picasa
CompanyName : Google Inc.
FileDescription : Picasa
InternalName : Picasa
LegalCopyright : c 2004- 2005 Google Inc.
OriginalFilename : Picasa2.exe

#:38 [msgplus.exe]
FilePath : C:\Program Files\MessengerPlus! 3\
ProcessID : 2580
ThreadCreationTime : 2006-11-30 上午 09:32:02
BasePriority : Normal


#:39 [camerafixer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2584
ThreadCreationTime : 2006-11-30 上午 09:32:02
BasePriority : Normal
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : CameraFixer Application
FileDescription : CameraFixer MFC Application
InternalName : CameraFixer
LegalCopyright : Copyright © 2005
OriginalFilename : CameraFixer.EXE

#:40 [vsnpstd3.exe]
FilePath : C:\WINDOWS\
ProcessID : 2520
ThreadCreationTime : 2006-11-30 上午 09:32:02
BasePriority : Normal
FileVersion : 1, 0, 2, 2
ProductVersion : 1, 0, 2, 2
ProductName : CameraMonitor Application
FileDescription : CameraMonitor Application
InternalName : CameraMonitor
LegalCopyright : Copyright 2002-2005
OriginalFilename : CameraMonitor.EXE

#:41 [hydramd.exe]
FilePath : C:\Program Files\ATI Technologies\ATI HYDRAVISION\
ProcessID : 2480
ThreadCreationTime : 2006-11-30 上午 09:32:04
BasePriority : Normal
FileVersion : 3.25.0006
ProductVersion : 3.25.0006
ProductName : ATI Technologies Inc. HydraVision Viewport
CompanyName : ATI Technologies Inc.
FileDescription : MultiDesk
InternalName : MultiDesk
LegalCopyright : Copyright c ATI Technologies Inc. 1985-2002
OriginalFilename : HydraMD.exe
Comments : Multiple desktop utility

#:42 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 268
ThreadCreationTime : 2006-11-30 上午 09:32:05
BasePriority : Normal
FileVersion : 7.1.3
ProductVersion : QuickTime 7.1.3
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe

#:43 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 3640
ThreadCreationTime : 2006-11-30 上午 09:32:05
BasePriority : Normal
FileVersion : 7.0.2.16
ProductVersion : 7.0.2.16
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : c 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:44 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2228
ThreadCreationTime : 2006-11-30 上午 09:32:06
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:45 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3788
ThreadCreationTime : 2006-11-30 上午 09:32:06
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:46 [hpqtra08.exe]
FilePath : C:\Program Files\HP\Digital Imaging\bin\
ProcessID : 216
ThreadCreationTime : 2006-11-30 上午 09:32:08
BasePriority : Normal
FileVersion : 5.35.0.035
ProductVersion : 005.035.000.035
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP Digital Imaging Monitor (CUE)
InternalName : HPQTRA00
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPQTRA00.EXE
Comments : HP Digital Imaging Monitor (CUE)

#:47 [wincinemamgr.exe]
FilePath : C:\Program Files\InterVideo\Common\Bin\
ProcessID : 2292
ThreadCreationTime : 2006-11-30 上午 09:32:08
BasePriority : Normal
FileVersion : 1.0
ProductVersion : 1, 0, 0, 1
ProductName : WinCinema Manager for InterVideo WinCinema products
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
LegalCopyright : Copyright © 2000 InterVideo Inc.
OriginalFilename : WinCinemaMgr.EXE

#:48 [easyshare.exe]
FilePath : C:\Program Files\Kodak\Kodak EasyShare software\bin\
ProcessID : 3756
ThreadCreationTime : 2006-11-30 上午 09:32:09
BasePriority : Normal
FileVersion : 5, 0, 25, 230
ProductVersion : 4, 1, 2, 30
ProductName : KODAK EasyShare Software
FileDescription : KODAK EasyShare Software
InternalName : EasyShare
LegalCopyright : c Eastman Kodak Company, 2002-2005. All Rights Reserved.
OriginalFilename : EasyShare.exe

#:49 [quick2.exe]
FilePath : C:\GPQ\
ProcessID : 3244
ThreadCreationTime : 2006-11-30 上午 09:32:10
BasePriority : Normal


#:50 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3296
ThreadCreationTime : 2006-11-30 上午 09:32:46
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:51 [kodak software updater.exe]
FilePath : C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\
ProcessID : 2092
ThreadCreationTime : 2006-11-30 上午 09:33:19
BasePriority : Normal


#:52 [msiexec.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3456
ThreadCreationTime : 2006-11-30 上午 09:33:28
BasePriority : Normal


#:53 [hpzipm12.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3516
ThreadCreationTime : 2006-11-30 上午 09:34:38
BasePriority : Normal
FileVersion : 7, 0, 0, 0
ProductVersion : 7, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright c 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:54 [update.exe]
FilePath : C:\Program Files\Common Files\{D8B80FDD-0AE9-1028-0916-030407280376}\
ProcessID : 2784
ThreadCreationTime : 2006-11-30 下午 01:23:05
BasePriority : Normal


#:55 [ishost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 176
ThreadCreationTime : 2006-11-30 下午 01:23:09
BasePriority : Normal


Win32.Trojandownloader.Zlob Object Recognized!
Type : Process
Data : ishost.exe
TAC Rating : 10
Category : Malware
Comment : ishost.exe.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Trojandownloader.Zlob Object found in memory(C:\WINDOWS\system32\ishost.exe)

"C:\WINDOWS\system32\ishost.exe"Process terminated successfully
"C:\WINDOWS\system32\ishost.exe"Process terminated successfully

#:56 [javaw.exe]
FilePath : C:\DOCUME~1\TIMOTH~1\APPLIC~1\MBOLS~1\
ProcessID : 2780
ThreadCreationTime : 2006-11-30 下午 01:23:10
BasePriority : Normal


#:57 [ismini.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1832
ThreadCreationTime : 2006-11-30 下午 01:23:10
BasePriority : Normal


Win32.Trojandownloader.Zlob Object Recognized!
Type : Process
Data : ismini.exe
TAC Rating : 10
Category : Malware
Comment : ismini.exe.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.Trojandownloader.Zlob Object found in memory(C:\WINDOWS\system32\ismini.exe)

"C:\WINDOWS\system32\ismini.exe"Process terminated successfully
"C:\WINDOWS\system32\ismini.exe"Process terminated successfully

#:58 [conime.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2888
ThreadCreationTime : 2006-12-1 上午 01:48:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Console IME
InternalName : Console
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : CONIME.EXE

#:59 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 1352
ThreadCreationTime : 2006-12-1 上午 05:53:20
BasePriority : Normal


#:60 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 1988
ThreadCreationTime : 2006-12-1 上午 05:54:14
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright c Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 2
Objects found so far: 2


Started registry scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c004dec2-2623-438e-9ca2-c9043ab28508}

Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}

Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\windows\currentversion\ext\stats\{c004dec2-2623-438e-9ca2-c9043ab28508}

Adware.SafetyBar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\windows\currentversion\ext\stats\{052b12f7-86fa-4921-8482-26c42316b522}

Adware.MyToolbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{c004dec2-2623-438e-9ca2-c9043ab28508}

Registry Scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 5
Objects found so far: 7


Started deep registry scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Deep registry scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 7

Adware.MyToolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {c004dec2-2623-438e-9ca2-c9043ab28508}

Adware.SafetyBar Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\internet explorer\toolbar\Webbrowser
Value : {052b12f7-86fa-4921-8482-26c42316b522}

Adware.MyToolbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Adware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\internet explorer\toolbar\Webbrowser
Value : {c004dec2-2623-438e-9ca2-c9043ab28508}


Started Tracking Cookie scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : timothy leung@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:timothy leung@zedo.com/
Expires : 2007-12-1 上午 09:28:40
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking cookie scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 1
Objects found so far: 11



Deep scanning and examining files (C:)
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@2o7[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@ads.addynamix[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@ads.addynamix[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@ads.pointroll[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@ads.pointroll[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@advertising[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@advertising[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@as-us.falkag[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@as-us.falkag[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@atdmt[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@doubleclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@hitbox[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@media.fastclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@media.fastclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@mediaplex[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@questionmarket[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@questionmarket[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@serving-sys[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@tickle[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@tickle[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Cookies\winxp@tribalfusion[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Local Settings\Temp\Cookies\winxp@atdmt[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@bs.serving-sys[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Local Settings\Temp\Cookies\winxp@bs.serving-sys[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@perf.overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Local Settings\Temp\Cookies\winxp@perf.overture[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : winxp@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\winxp\Local Settings\Temp\Cookies\winxp@serving-sys[2].txt

Disk Scan Result for C:\
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 29


Deep scanning and examining files (D:)
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Disk Scan Result for D:\
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 29


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Hosts file scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
1 entries scanned.
New critical objects:0
Objects found so far: 29




Performing conditional scans...
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙

Conditional scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 29

下午 02:15:34 Scan Complete

Summary Of This Scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Total scanning time:00:20:58.687
Objects scanned:260318
Objects identified:29
Objects ignored:0
New critical objects:29

BC AdBot (Login to Remove)

 


#2 timsbleung

timsbleung
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 01 December 2006 - 01:28 AM

ArchiveData(auto-quarantine- 2006-12-01 14-24-23.bckp)
Referencefile : SE1R135 27.11.2006
======================================================

WIN32.TROJANDOWNLOADER.ZLOB
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
obj[0]=Process : C:\WINDOWS\system32\ishost.exe
obj[1]=Process : C:\WINDOWS\system32\ismini.exe

ADWARE.MYTOOLBAR
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
obj[2]=Regkey : clsid\{c004dec2-2623-438e-9ca2-c9043ab28508}
obj[3]=Regkey : typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}
obj[4]=Regkey : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\windows\currentversion\ext\stats\{c004dec2-2623-438e-9ca2-c9043ab28508}
obj[6]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{c004dec2-2623-438e-9ca2-c9043ab28508}
obj[7]=RegValue : software\microsoft\internet explorer\toolbar "{c004dec2-2623-438e-9ca2-c9043ab28508}"
obj[9]=RegValue : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\internet explorer\toolbar\Webbrowser "{c004dec2-2623-438e-9ca2-c9043ab28508}"

ADWARE.SAFETYBAR
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
obj[5]=Regkey : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\windows\currentversion\ext\stats\{052b12f7-86fa-4921-8482-26c42316b522}
obj[8]=RegValue : S-1-5-21-1202660629-1580436667-725345543-1007\software\microsoft\internet explorer\toolbar\Webbrowser "{052b12f7-86fa-4921-8482-26c42316b522}"


heres the auto-quarantine log

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:38 AM

Posted 01 December 2006 - 11:58 PM

fozzy gave you a link for the preparation guide to posting an HJT log in the following thread:

http://www.bleepingcomputer.com/forums/t/73838/virusburst-trouble/

What you have posted here is a log from Ad-Aware. Be that as it may, continue following the guide that fozzie gave you the link for. There are directions for downloading and installing HiJack This and for creating the log in that guide.

When you have created the log, create a new topic in the HiJack This Forum, not here. Give your topic a good descriptive title, briefly outline your problem, what you have done to solve it, and what worked and didn't work and paste in your HiJack This log. After you post your log, DO NOT make any further changes: deleting files, installing or installing software, editing the registry, using specialized cleaning tools etc. as this will confuse matters and make it more difficult for them to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may conclude that someone is already helping you. If you have not had a response in FIVE DAYS, add a response to the No Response in Five Days topic and paste in the link to your HJT topic.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users