PDA

View Full Version : PC infected with Zlob.Downloader


bandit1200
2007-12-20, 18:09
Hi!

I had an infection on my PC with Smitfraud-C.MSVPS, Smitfraud-C., Zlob.Downloader.rid and Zlob.Downloader.vcd.

These were found by Spybot S&D and removed.

I had also run a-squared and Lavasoft Ad-Aware. I have f-secure internet security (client install) on my PC. The PC is running in a company network (administration has already been informed).

The f-secure did not detect the upper named malware but Kaspersky online scanner still detects the Trojan-Downloader.Win32.Zlob.fst which was not detected by Spybot S&D afterwards.

Here is the HiJackThis-Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:29, on 20.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\Programme\MSI\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Programme\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programme\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programme\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Programme\F-Secure\Common\FSMB32.EXE
C:\Programme\F-Secure\Common\FCH32.EXE
C:\Programme\F-Secure\Common\FAMEH32.EXE
C:\Programme\F-Secure\Anti-Virus\fsqh.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Programme\F-Secure\Common\FNRB32.EXE
C:\Programme\F-Secure\Anti-Virus\fssm32.exe
C:\Programme\F-Secure\Common\FIH32.EXE
C:\Programme\F-Secure\FSAUA\program\fsaua.exe
C:\Programme\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\F-Secure\Common\FSM32.EXE
C:\Programme\F-Secure\FSGUI\fsguidll.exe
C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\MSI\Bluetooth Software\BTTray.exe
C:\Programme\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Security Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/firefox
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Programme\Copernic Desktop Search 2\DesktopSearchBand201013011.dll
O3 - Toolbar: The leosrv - {F7C394C7-BFBD-4A20-AD14-2AA94424C09C} - C:\WINDOWS\leosrv.dll (file missing)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://sbsserver1/connectcomputer/nshelp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1098970218097
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Programme\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programme\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Telesis.local
O17 - HKLM\Software\..\Telephony: DomainName = Telesis.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8992EDF-C2EE-4E95-B1F3-93B9150B0AEE}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Telesis.local
O21 - SSODL: hjoqor - {0AC53685-A90C-4D29-A687-DF5651DD69C4} - C:\WINDOWS\hjoqor.dll (file missing)
O21 - SSODL: xcvwer - {AAF07E88-A0E3-4AFE-B433-98E135BB53EB} - C:\WINDOWS\xcvwer.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programme\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programme\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Programme\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Programme\F-Secure\Common\FSMA32.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: LSNE - Sysinternals - www.sysinternals.com - C:\DOKUME~1\THOHIG~1.THO\LOKALE~1\Temp\LSNE.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

--
End of file - 8437 bytes

Here is the Kaspersky Log-File:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 20, 2007 3:43:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/12/2007
Kaspersky Anti-Virus database records: 490471
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 55799
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:48:12

Infected Object Name / Virus Name / Last Action
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\cert8.db Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\history.dat Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\key3.db Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\parent.lock Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\search.sqlite Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\urlclassifier2.sqlite Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Cookies\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\Cache\_CACHE_001_ Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\Cache\_CACHE_002_ Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\Cache\_CACHE_003_ Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Anwendungsdaten\Mozilla\Firefox\Profiles\default.85o\Cache\_CACHE_MAP_ Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Verlauf\History.IE5\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Lokale Einstellungen\Verlauf\History.IE5\MSHist012007122020071221\index.dat Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\NTUSER.DAT Object is locked skipped
C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EABF3E0D-85E8-4957-A3B9-F411E556CBEF}\RP413\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\CSC\00000002 Object is locked skipped
C:\WINDOWS\CSC\00000003 Object is locked skipped
C:\WINDOWS\CSC\d1\80000058 Object is locked skipped
C:\WINDOWS\CSC\d1\80000188 Object is locked skipped
C:\WINDOWS\CSC\d1\80000470 Object is locked skipped
C:\WINDOWS\CSC\d1\80000478 Object is locked skipped
C:\WINDOWS\CSC\d1\80000480 Object is locked skipped
C:\WINDOWS\CSC\d1\800004C8 Object is locked skipped
C:\WINDOWS\CSC\d1\800004F8 Object is locked skipped
C:\WINDOWS\CSC\d2\80000129 Object is locked skipped
C:\WINDOWS\CSC\d2\800004C9 Object is locked skipped
C:\WINDOWS\CSC\d2\80000519 Object is locked skipped
C:\WINDOWS\CSC\d3\800000CA Object is locked skipped
C:\WINDOWS\CSC\d3\8000011A Object is locked skipped
C:\WINDOWS\CSC\d3\8000012A Object is locked skipped
C:\WINDOWS\CSC\d3\8000015A Object is locked skipped
C:\WINDOWS\CSC\d3\80000402 Object is locked skipped
C:\WINDOWS\CSC\d3\80000472 Object is locked skipped
C:\WINDOWS\CSC\d3\8000047A Object is locked skipped
C:\WINDOWS\CSC\d3\80000482 Object is locked skipped
C:\WINDOWS\CSC\d3\800004CA Object is locked skipped
C:\WINDOWS\CSC\d3\80000522 Object is locked skipped
C:\WINDOWS\CSC\d4\80000053 Object is locked skipped
C:\WINDOWS\CSC\d4\8000012B Object is locked skipped
C:\WINDOWS\CSC\d4\8000047B Object is locked skipped
C:\WINDOWS\CSC\d4\80000483 Object is locked skipped
C:\WINDOWS\CSC\d4\800004CB Object is locked skipped
C:\WINDOWS\CSC\d4\800004E3 Object is locked skipped
C:\WINDOWS\CSC\d4\80000503 Object is locked skipped
C:\WINDOWS\CSC\d5\80000054 Object is locked skipped
C:\WINDOWS\CSC\d5\8000012C Object is locked skipped
C:\WINDOWS\CSC\d5\8000047C Object is locked skipped
C:\WINDOWS\CSC\d5\80000504 Object is locked skipped
C:\WINDOWS\CSC\d6\00000215 Object is locked skipped
C:\WINDOWS\CSC\d6\80000055 Object is locked skipped
C:\WINDOWS\CSC\d6\8000012D Object is locked skipped
C:\WINDOWS\CSC\d6\80000465 Object is locked skipped
C:\WINDOWS\CSC\d6\80000485 Object is locked skipped
C:\WINDOWS\CSC\d6\8000051D Object is locked skipped
C:\WINDOWS\CSC\d7\00000216 Object is locked skipped
C:\WINDOWS\CSC\d7\800003FE Object is locked skipped
C:\WINDOWS\CSC\d7\8000047E Object is locked skipped
C:\WINDOWS\CSC\d7\800004EE Object is locked skipped
C:\WINDOWS\CSC\d7\8000051E Object is locked skipped
C:\WINDOWS\CSC\d8\00000217 Object is locked skipped
C:\WINDOWS\CSC\d8\80000057 Object is locked skipped
C:\WINDOWS\CSC\d8\80000187 Object is locked skipped
C:\WINDOWS\CSC\d8\800003FF Object is locked skipped
C:\WINDOWS\CSC\d8\80000487 Object is locked skipped
C:\WINDOWS\CSC\d8\800004C7 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{EABF3E0D-85E8-4957-A3B9-F411E556CBEF}\RP409\A0033998.0xe/stream/data0004 Infected: Trojan-Downloader.Win32.Zlob.fgt skipped
D:\System Volume Information\_restore{EABF3E0D-85E8-4957-A3B9-F411E556CBEF}\RP409\A0033998.0xe/stream Infected: Trojan-Downloader.Win32.Zlob.fgt skipped
D:\System Volume Information\_restore{EABF3E0D-85E8-4957-A3B9-F411E556CBEF}\RP409\A0033998.0xe NSIS: infected - 2 skipped

Scan process completed.

Thanks in advance.

Bandit
Shaba
2007-12-21, 12:24
Hi bandit1200 and welcome to Safer Networking Forums :)

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
bandit1200
2007-12-21, 13:57
Hi Shaba!

Here is the SmitFrautFix rapport. :)

Please be aware that I ran before the tools with cleaning option and that I already ran the SDFix before. :oops:

Thanx!

Bandit :cool:

SmitFraudFix v2.274

Scan done at 12:49:50.46, 21.12.2007
Run from D:\Security Tools\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 legal-at-spybot.info
127.0.0.1 www.legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\thohig.THOHIG-LAPTOP\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\THOHIG~1.THO\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: AVM FRITZ!web PPP over ISDN - Paketplaner-Miniport
DNS Server Search Order: 192.168.120.252
DNS Server Search Order: 192.168.120.253

Description: Broadcom 440x 10/100 Integrated Controller - Paketplaner-Miniport
DNS Server Search Order: 192.168.1.3
DNS Server Search Order: 192.168.1.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6713BE25-846A-4AA9-8AEB-5A322853335E}: DhcpNameServer=192.168.1.3 192.168.1.4
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E8992EDF-C2EE-4E95-B1F3-93B9150B0AEE}: NameServer=192.168.120.252,192.168.120.253
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6713BE25-846A-4AA9-8AEB-5A322853335E}: DhcpNameServer=192.168.1.3 192.168.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E8992EDF-C2EE-4E95-B1F3-93B9150B0AEE}: NameServer=192.168.120.252,192.168.120.253
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6713BE25-846A-4AA9-8AEB-5A322853335E}: DhcpNameServer=192.168.1.3 192.168.1.4
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E8992EDF-C2EE-4E95-B1F3-93B9150B0AEE}: NameServer=192.168.120.252,192.168.120.253
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.3 192.168.1.4
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.3 192.168.1.4
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.3 192.168.1.4


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Shaba
2007-12-21, 19:05
Hi

Please don't run any tools from now on unless requested :)

In that case, please post here SDFix report, can be found here -> C:\SDFix\Report.txt
Shaba
2007-12-29, 09:42
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.