PDA

View Full Version : Win32.Zlob.mm



BenZolo
2006-04-28, 21:59
Hi!

I am experiencing real problems with a trojan, which cannot be deleted by Kaspersky, by Spybot, nor by Adaware. Once Kaspersk has identified the trojan it comes up with the message, that it can't delete it. Having scanned all files, Kaspersky comes up with the trojan and when I click 'treat'- my computer closes down, i.e. the harddrive stops spinning and everything freezes.

Can anyone help? I've run "Hijack" this with following outcome:

Logfile of HijackThis v1.99.1
Scan saved at 20:49:12, on 28.04.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ISW\alice\signup\alicecnn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\explorer.exe
C:\Dokumente und Einstellungen\Benjamin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001
R3 - URLSearchHook: (no name) - {3EF5FF50-1624-4A25-DDDD-9F55DB98443F} - new32.dll (file missing)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpCBEC.tmp (file missing)
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [Start Upping] spoolnt.exe
O4 - HKLM\..\Run: [start extracting] spoolvse.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSched32.EXE /min
O4 - HKLM\..\Run: [MS Unix Binary] win32ttb.exe
O4 - HKLM\..\Run: [Windows Compliant] wmvrab.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINDOWS\system32\PUXPTWKS.EXE /TWEAK
O4 - HKLM\..\Run: [borlandg] iesetupdll.exe
O4 - HKLM\..\Run: [dmjgb.exe] C:\WINDOWS\system32\dmjgb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunServices: [Windows Compliant] wmvrab.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Start Upping] spoolnt.exe
O4 - HKLM\..\RunServices: [start extracting] spoolvse.exe
O4 - HKLM\..\RunServices: [MS Unix Binary] win32ttb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start Upping] spoolnt.exe
O4 - HKCU\..\Run: [MS Unix Binary] win32ttb.exe
O4 - HKCU\..\Run: [Bogobot] control64.exe
O4 - HKCU\..\Run: [ms-its] driver64.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MMAUSBCM.LNK = E:\USB Audio\Quattro\WINXP\MMAUSBCM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{16AE949A-E691-4926-ABC0-2BF427AB6C11}: NameServer = 213.191.92.86 213.191.74.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0D8961-EAED-48E4-8136-FB9177F296BF}: NameServer = 85.255.113.122,85.255.112.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D63F8C-CA26-44E7-9E14-B0E7A21C6CA5}: NameServer = 85.255.113.122,85.255.112.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{16AE949A-E691-4926-ABC0-2BF427AB6C11}: NameServer = 213.191.92.86 213.191.74.18
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - Unknown owner - C:\Programme\AVPersonal\AVWUPSRV.EXE (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe

thanxs in advance! :confused: :)

BenZolo
2006-04-28, 22:00
i forgot: the name of the bastard is: win32.zlob.mm

tashi
2006-05-01, 17:17
We are sorry for the wait, new infections (not necessarily on your own computer) are taking longer to clean up.

Please see the pinned sticky topic:
If you have waited three days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

LonnyRJones
2006-05-05, 16:50
Hello and welcome to the Forum. :)
Sorry for the delay, your post seamsed to have sliped by
If your still in need of assistance and not
recieving it at another forum the next step is a smithfraudfix and blacklite logs.

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
IMPORTANT: Do NOT run any other options until you are asked to do so!

Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

tashi
2006-05-11, 09:57
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.