Problems After Zlob Trojan

[phoenix_1275]

Hi again, don't know if this helps but have attached notepad files from GMER and DDS. Thank You

Hi - I originally posted this problem in the IE Explorer forum but realise that it was possibly in the wrong place. Have closed the original thread and am posting my message here, problem is it will not let me upload the DDS and GMER file here as they are already uploaded on previous thread
--------------------------------------------------------------------
hxxp://www.techsupportforum.com/microsoft-support/internet-explorer-forum/320753-solved-ie-7-problems-after-zlob-trojan.html
--------------------------------------------------------------------

I wonder is someone could help.. my friends pc was infected with the Zlob trojan - he is running XP with service pack 3. IE stopped working and system kept frezing..ran a hijack this log and spotted some files which I 'fixed' problem still persisted, downloaded Malwarebytes Anti-Malware which highlighted the trojan and fixed them. IE still not responding. Friend took his PC away and brought it back next day. Tried to uninstall SP3 and IE 7 but system just froze. Then he installed a new IE 7 over top of old one, previously system would freeze when attempting to access Outlook. System can now onlyl be acessed through safe ode as freezes when try to log on through welcome screen. When system comes up everything loads and will allow outlook to open but no connection and IE still not responding.
No IP is present and error messages appear re 'no host found'. Any help appreciated... thank you in advance. Maureen



DDS (Version 1.0) - NTFSx86 MINIMAL
Run by frog at 14:59:08.50 on 06/12/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.479.287 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\frog\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Supanet Internet Explorer
mWindow Title = Supanet Internet Explorer
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - c:\program files\webmediaviewer\hpmun.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - c:\program files\webmediaviewer\browseul.dll
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [CARPService] carpserv.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [QuickTime Task] c:\program files\webmediaviewer\qttask.exe
mExplorerRun: [VMware hptray] c:\program files\webmediaviewer\hpmon.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\desktop(2).ini
uPolicies-explorer: NoActiveDesktop = 0 (0x0)
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2008-1-4 587096]
S2 8EB395F0D6F42882;8EB395F0D6F42882;\??\c:\documents and settings\frog\desktop\8eb395f0d6f42882\8EB395F0D6F42882 []
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
S2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
S2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2005-12-13 1245064]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-18 99376]
S3 ids00026;ids00026;\??\c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\bases\ids00026.sys []
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081127.048\NAVENG.SYS [2008-11-28 89104]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081127.048\NAVEX15.SYS [2008-11-28 876112]

=============== Created Last 30 ================

2008-12-06 14:41 250 a------- c:\windows\gmer.ini
2008-12-05 16:45 <DIR> --d----- c:\windows\LastGood.Tmp
2008-11-29 15:15 <DIR> --d----- c:\docume~1\frog\applic~1\Malwarebytes
2008-11-29 15:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 15:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-29 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 10:43 <DIR> --dsh--- C:\found.007
2008-11-13 17:41 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 17:41 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-10-24 11:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-04-17 11:22 420 a------- c:\docume~1\frog\applic~1\wklnhst.dat
2006-08-31 13:25 210 a------- c:\program files\New Playlist.wpl
2005-12-13 23:34 42,068,375 a------- c:\program files\NIS06900IN.exe
2005-09-07 14:03 20,798,256 a------- c:\program files\AdbeRdr70_enu_full.exe
2005-09-07 13:57 6,811,904 a------- c:\program files\psa2011se_us.exe
2005-07-20 10:41 1,602 a------- c:\program files\supanet.ins
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(4).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(3).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(2).exe

============= FINISH: 14:59:23.70 ===============

[sUBs]

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download & save ComboFix to your Desktop but don't run it yet
Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/320799-problems-after-zlob-trojan.html#post1841567
DDS::
BHO: {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - c:\program files\webmediaviewer\hpmun.dll
TB: {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - c:\program files\webmediaviewer\browseul.dll
mExplorerRun: [QuickTime Task] c:\program files\webmediaviewer\qttask.exe
mExplorerRun: [VMware hptray] c:\program files\webmediaviewer\hpmon.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\desktop(2).ini
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
Driver::
8EB395F0D6F42882
Collect::
c:\documents and settings\frog\desktop\8eb395f0d6f42882\8EB395F0D6F42882
File::
c:\WINDOWS\inf\unregmp2(4).exe
c:\WINDOWS\inf\unregmp2(3).exe
c:\WINDOWS\inf\unregmp2(2).exe

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.

[phoenix_1275]

Hi - thanks for your quick response. I don't have access to pc in question at the moment (my friend took it home with him, he's bringing it back tomorrow afternoon) so will do as you ask and get back to you asap tomorrow. Really appreciate the help . Maureen

[phoenix_1275]

Hi there, sorry for the delay in getting back to you. Didn't get my hands on the coputer until today. Did as instructed. Recovery Console not installed on PC and when combo fix asked if I wanted to install it I clicked yes and everything just hung up. Rebooted computer and reran combofix thinking to try combo fix within recocvery console. Again system hung, so have run DDS and GMER logs and attached for you. Could you please take another look for me, sorry for all the problems. Maureen


DDS (Version 1.0) - NTFSx86
Run by frog at 16:40:41.00 on 2008-12-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.177 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\frog\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Supanet Internet Explorer
mWindow Title = Supanet Internet Explorer
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - c:\program files\webmediaviewer\hpmun.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - c:\program files\webmediaviewer\browseul.dll
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [CARPService] carpserv.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [QuickTime Task] c:\program files\webmediaviewer\qttask.exe
mExplorerRun: [VMware hptray] c:\program files\webmediaviewer\hpmon.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\desktop(2).ini
uPolicies-explorer: NoActiveDesktop = 0 (0x0)
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 8EB395F0D6F42882;8EB395F0D6F42882;\??\c:\documents and settings\frog\desktop\8eb395f0d6f42882\8EB395F0D6F42882 []
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2008-1-4 587096]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
R2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2005-12-13 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-18 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081127.048\NAVENG.SYS [2008-11-28 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081127.048\NAVEX15.SYS [2008-11-28 876112]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 ids00026;ids00026;\??\c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\bases\ids00026.sys []

=============== Created Last 30 ================

2008-12-09 16:22 389,120 a------- c:\windows\system32\CF5975.exe
2008-12-09 16:22 <DIR> --d----- C:\ComboFix
2008-12-09 16:14 161,792 a------- c:\windows\SWREG.exe
2008-12-09 16:14 98,816 a------- c:\windows\sed.exe
2008-12-09 16:13 389,120 a------- c:\windows\system32\CF4267.exe
2008-12-09 16:03 39,424 a------- c:\windows\zipinst.exe
2008-12-06 14:41 250 a------- c:\windows\gmer.ini
2008-11-29 15:15 <DIR> --d----- c:\docume~1\frog\applic~1\Malwarebytes
2008-11-29 15:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 15:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-29 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 10:43 <DIR> --dsh--- C:\found.007
2008-11-13 17:41 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 17:41 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-10-24 11:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-04-17 11:22 420 a------- c:\docume~1\frog\applic~1\wklnhst.dat
2006-08-31 13:25 210 a------- c:\program files\New Playlist.wpl
2005-12-13 23:34 42,068,375 a------- c:\program files\NIS06900IN.exe
2005-09-07 14:03 20,798,256 a------- c:\program files\AdbeRdr70_enu_full.exe
2005-09-07 13:57 6,811,904 a------- c:\program files\psa2011se_us.exe
2005-07-20 10:41 1,602 a------- c:\program files\supanet.ins
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(4).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(3).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(2).exe
2008-09-07 10:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 16:41:11.04 ===============

[sUBs]

Skip the recovery console & run this from safe mode.



Open NOTEPAD and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/320799-problems-after-zlob-trojan.html#post1847501
DDS::
BHO: {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - c:\program files\webmediaviewer\hpmun.dll
TB: {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - c:\program files\webmediaviewer\browseul.dll
mExplorerRun: [QuickTime Task] c:\program files\webmediaviewer\qttask.exe
mExplorerRun: [VMware hptray] c:\program files\webmediaviewer\hpmon.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\desktop(2).ini
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php
DRIVER::
R2 8EB395F0D6F42882
FILE::
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(4).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(3).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(2).exe
FOLDER::
c:\documents and settings\frog\desktop\8eb395f0d6f42882
COLLECT::
c:\documents and settings\frog\desktop\8eb395f0d6f42882\8EB395F0D6F42882

Save this as "CFScript"





Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/subm....php?channel=4

[phoenix_1275]

Hi there - have followed your instructions and ran Combofix again with the new script. Combofix ran but part way through gave an error message
ROUTE.EXE failed to initialise.... Oxc0000142 click ok to terminate the application. I clicked ok and combofix carried on. When it was finished it rebooted windows. When windows came up again I logged onto the main account and located the combofix.txt file, which is attached. Combofix did not produce a .zip file.... so navigated to C:\Qoobox\Quarantine directory and no zip file was present, so ran dds and gmer again and hae the logs if you want them. Logged off windows and when I tried to log back on again it would'nt let me access the main account. system just hung.. after reboot could access a limited user account but not the main. Thats the state of play at the moment...
Regards Maureen

[sUBs]

Seems to get worse as we go along. :(

Quote:

ran dds and gmer again and hae the logs if you want them.

Please show me these logs.

[phoenix_1275]

Hi again sorry for the other things going on at the same time..
here are the logs.

btw I really appreciate you taking the time with to look at the problem. It doesn't help that my friend keeps taking his computer away with him as soon as I've done a scan. Makes me wonder what the heck is on his machine .


DDS (Version 1.0) - NTFSx86
Run by frog at 16:11:43.34 on 2008-12-10
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.479.142 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Documents and Settings\frog\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
mWindow Title = Supanet Internet Explorer
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [CARPService] carpserv.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [combofix] c:\windows\system32\cf21653.exe /c c:\combofix\Combobatch.bat
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [QuickTime Task] c:\program files\webmediaviewer\qttask.exe
mExplorerRun: [VMware hptray] c:\program files\webmediaviewer\hpmon.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\desktop(2).ini
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 8EB395F0D6F42882;8EB395F0D6F42882;\??\c:\documents and settings\frog\desktop\8eb395f0d6f42882\8EB395F0D6F42882 []
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2008-1-4 587096]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-1-26 149352]
R2 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2005-12-13 1245064]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-18 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081127.048\NAVENG.SYS [2008-11-28 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081127.048\NAVEX15.SYS [2008-11-28 876112]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-13 23888]
S3 ids00026;ids00026;\??\c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\bases\ids00026.sys []

=============== Created Last 30 ================

2008-12-10 16:00 <DIR> --d----- C:\ComboFix
2008-12-10 16:00 389,120 a------- c:\windows\system32\CF21653.exe
2008-12-09 16:22 389,120 a------- c:\windows\system32\CF5975.exe
2008-12-09 16:14 161,792 a------- c:\windows\SWREG.exe
2008-12-09 16:14 98,816 a------- c:\windows\sed.exe
2008-12-09 16:13 389,120 a------- c:\windows\system32\CF4267.exe
2008-12-09 16:03 39,424 a------- c:\windows\zipinst.exe
2008-12-06 14:41 250 a------- c:\windows\gmer.ini
2008-11-29 15:15 <DIR> --d----- c:\docume~1\frog\applic~1\Malwarebytes
2008-11-29 15:15 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-29 15:15 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-29 15:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-16 10:43 <DIR> --dsh--- C:\found.007
2008-11-13 17:41 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-13 17:41 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-10-24 11:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-04-17 11:22 420 a------- c:\docume~1\frog\applic~1\wklnhst.dat
2006-08-31 13:25 210 a------- c:\program files\New Playlist.wpl
2005-12-13 23:34 42,068,375 a------- c:\program files\NIS06900IN.exe
2005-09-07 14:03 20,798,256 a------- c:\program files\AdbeRdr70_enu_full.exe
2005-09-07 13:57 6,811,904 a------- c:\program files\psa2011se_us.exe
2005-07-20 10:41 1,602 a------- c:\program files\supanet.ins
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(4).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(3).exe
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(2).exe
2008-09-07 10:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat

============= FINISH: 16:12:27.20 ===============

[sUBs]

Looks like ComboFix didn't get to finish running. Something must have interrupted it.

Quote:

It doesn't help that my friend keeps taking his computer away with him as soon as I've done a scan. Makes me wonder what the heck is on his machine

Since your friend has a dire need to use the machine, it may be worth considering wiping it altogether. That should be a quicker process than trying to disinfect a semi-present machine.

[phoenix_1275]

Hi Subs
Have phoned friend, have told him to bring back machine tomorrow and that he has to leave it with me if he wants it fixed.. Is it still ok to carry on?
Maureen

[sUBs]

Quote:

when I tried to log back on again it would'nt let me access the main account. system just hung.. after reboot could access a limited user account but not the main.

Sounds like his userprofile may have got corrupted.

Reboot to Safe Mode so that you may attain Administrator privileges.
Then go to the folder - C:\Windows\ERDNT\Hiv_Backup\
Double click on ERDNT.exe
It shall reboot the machine
Hopefully this repair/restores the corrupted userprofile

[phoenix_1275]

Hi Subs
Have rebooted in safe mode and did as you said.... restored user data ... it came back with quite a few erros relating to the user account so skipped them and let program continue and can now access main user account after reboot. Do you want me to try and run Combofix with the previous script again? Maureen

[sUBs]

Yes, please do.

[phoenix_1275]

Hi sUBs.... thanks for your quick response...
Reran script on the machine as requested and the same error as previous occurred.

Clicked Ok to continue without Recovery Console and Combofix started to run then came back with the error

"ROUTE.EXE - APPLICATION ERROR"
"The application failed to initialise properly (0x0000142) Click OK to terminate the application" .

This is the same as last time when it didn't produce the logs as process was interrupted.

As an aside, the problem with logging onto the main user account has not gone away as I thought. After some checking have discovered that when there is no ethernet cable connected Windows will allow access to main account, but when cable is plugged in system hangs. Have checked in device drivers and ethernet adapter is apparently working fine, so a bit stumped there.
Maureen

[sUBs]

Maureen, let's leave that for the moment. I need to see the log that ComboFix produced

[phoenix_1275]

Hi sUBs
Here's the log..... when Combofix finished it gave an error message relating to
'cannot find c:\docu....1\frog\local....1\temp\log.txtfile' 'Create new file?'
so clicked YES and notepad came up blank.. navigated to combofix folder and picked up the log file

Maureen


ComboFix 08-12-06.06 - frog 2008-12-11 17:16:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.156 [GMT 0:00]
Running from: c:\documents and settings\frog\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\frog\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
2004-08-04 12:00 208,896 a------- c:\windows\inf\unregmp2(4).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\frog\desktop\8eb395f0d6f42882 . . . . failed to delete
.
---- Previous Run -------
.
c:\windows\IE4 Error Log.txt
c:\windows\system32\ipflr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_8EB395F0D6F42882
-------\Service_8EB395F0D6F42882
-------\Legacy_8EB395F0D6F42882
-------\Service_8EB395F0D6F42882


((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-11 15:55 . 2008-12-11 15:55 <DIR> d-------- c:\documents and settings\Administrator
2008-12-09 16:03 . 2008-12-09 16:03 39,424 --a------ c:\windows\zipinst.exe
2008-12-06 14:41 . 2008-12-10 16:13 250 --a------ c:\windows\gmer.ini
2008-11-29 15:15 . 2008-11-29 15:15 <DIR> d-------- c:\documents and settings\frog\Application Data\Malwarebytes
2008-11-29 15:15 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:15 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 15:14 . 2008-11-29 15:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 15:14 . 2008-11-29 15:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 11:06 . 2008-11-29 11:06 <DIR> d-------- c:\documents and settings\rhian\Application Data\Symantec
2008-11-16 10:43 . 2008-11-16 10:43 <DIR> d--hs---- C:\found.007
2008-11-13 17:41 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 17:41 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 17:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-29 16:27 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-04-20 16:54 702 ----a-w c:\documents and settings\rhian\Application Data\wklnhst.dat
2008-04-17 11:22 420 ----a-w c:\documents and settings\frog\Application Data\wklnhst.dat
2006-08-31 13:25 210 ----a-w c:\program files\New Playlist.wpl
2005-12-13 23:34 42,068,375 ----a-w c:\program files\NIS06900IN.exe
2005-09-07 14:03 20,798,256 ----a-w c:\program files\AdbeRdr70_enu_full.exe
2005-09-07 13:57 6,811,904 ----a-w c:\program files\psa2011se_us.exe
2005-07-20 10:41 1,602 ----a-w c:\program files\supanet.ins
2004-08-04 12:00 208,896 ----a-w c:\windows\inf\unregmp2(4).exe
2004-08-04 12:00 208,896 ----a-w c:\windows\inf\unregmp2(3).exe
2004-08-04 12:00 208,896 ----a-w c:\windows\inf\unregmp2(2).exe
2008-09-07 10:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-06-21 839770]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2004-12-22 7957504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-10 118784]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-03 26112]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-16 192512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-07 718704]
"CARPService"="carpserv.exe" [2003-06-11 c:\windows\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
desktop(2).ini [2005-01-25 84]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DivX\\DivX Codec\\config.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 8EB395F0D6F42882;8EB395F0D6F42882;\??\c:\documents and settings\frog\Desktop\8EB395F0D6F42882\8EB395F0D6F42882 []
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-01-26 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-18 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-13 23888]
S3 ids00026;ids00026;\??\c:\documents and settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys []

*Newly Created Service* - 8EB395F0D6F42882
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-07-07 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - frog.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Explorer_Run-QuickTime Task - c:\program files\WebMediaViewer\qttask.exe
HKLM-Explorer_Run-VMware hptray - c:\program files\WebMediaViewer\hpmon.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
mWindow Title = Supanet Internet Explorer
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\Housecall_ActiveX.dll
O16 -: {6E5A37BF-FD42-463A-877C-4EB7002E68AE}
hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
c:\windows\Downloaded Program Files\hcImpl.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 17:23:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8EB395F0D6F42882]
"ImagePath"="\??\c:\documents and settings\frog\Desktop\8EB395F0D6F42882\8EB395F0D6F42882"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\8EB395F0D6F42882]
"ImagePath"="\??\c:\documents and settings\frog\Desktop\8EB395F0D6F42882\8EB395F0D6F42882"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
.
**************************************************************************
.
Completion time: 2008-12-11 17:27:58 - machine was rebooted [frog]
ComboFix-quarantined-files.txt 2008-12-11 17:26:42

Pre-Run: 64,475,291,648 bytes free
Post-Run: 64,469,479,424 bytes free

162 --- E O F --- 2008-11-13 20:09:35

[sUBs]

Kindly run this cfscript

Code:

http://www.techsupportforum.com/security-center/hijackthis-log-help/320799-problems-after-zlob-trojan.html
DRIVER::
8EB395F0D6F42882
ids00026
FILE::
c:\windows\inf\unregmp2(4).exe
c:\windows\inf\unregmp2(3).exe
c:\windows\inf\unregmp2(2).exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop(2).ini
FOLDER::
c:\documents and settings\frog\desktop\8eb395f0d6f42882
COLLECT::
c:\documents and settings\frog\desktop\8eb395f0d6f42882\8EB395F0D6F42882

[phoenix_1275]

Hi sUBs here's the newest log

ComboFix 08-12-06.06 - frog 2008-12-11 18:01:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.152 [GMT 0:00]
Running from: c:\documents and settings\frog\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\frog\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop(2).ini
c:\windows\inf\unregmp2(2).exe
c:\windows\inf\unregmp2(3).exe
c:\windows\inf\unregmp2(4).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop(2).ini
c:\windows\inf\unregmp2(2).exe
c:\windows\inf\unregmp2(3).exe
c:\windows\inf\unregmp2(4).exe
c:\documents and settings\frog\desktop\8eb395f0d6f42882 . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_8EB395F0D6F42882
-------\Legacy_IDS00026
-------\Service_8EB395F0D6F42882
-------\Service_ids00026


((((((((((((((((((((((((( Files Created from 2008-11-11 to 2008-12-11 )))))))))))))))))))))))))))))))
.

2008-12-11 15:55 . 2008-12-11 15:55 <DIR> d-------- c:\documents and settings\Administrator
2008-12-09 16:03 . 2008-12-09 16:03 39,424 --a------ c:\windows\zipinst.exe
2008-12-06 14:41 . 2008-12-10 16:13 250 --a------ c:\windows\gmer.ini
2008-11-29 15:15 . 2008-11-29 15:15 <DIR> d-------- c:\documents and settings\frog\Application Data\Malwarebytes
2008-11-29 15:15 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-29 15:15 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-29 15:14 . 2008-11-29 15:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-29 15:14 . 2008-11-29 15:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-29 11:06 . 2008-11-29 11:06 <DIR> d-------- c:\documents and settings\rhian\Application Data\Symantec
2008-11-16 10:43 . 2008-11-16 10:43 <DIR> d--hs---- C:\found.007
2008-11-13 17:41 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 17:41 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 17:27 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-29 16:27 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-04-20 16:54 702 ----a-w c:\documents and settings\rhian\Application Data\wklnhst.dat
2008-04-17 11:22 420 ----a-w c:\documents and settings\frog\Application Data\wklnhst.dat
2006-08-31 13:25 210 ----a-w c:\program files\New Playlist.wpl
2005-12-13 23:34 42,068,375 ----a-w c:\program files\NIS06900IN.exe
2005-09-07 14:03 20,798,256 ----a-w c:\program files\AdbeRdr70_enu_full.exe
2005-09-07 13:57 6,811,904 ----a-w c:\program files\psa2011se_us.exe
2005-07-20 10:41 1,602 ----a-w c:\program files\supanet.ins
2008-09-07 10:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-06-21 839770]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2004-12-22 7957504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-10 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-10-10 118784]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-06-03 26112]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-16 192512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-07 718704]
"CARPService"="carpserv.exe" [2003-06-11 c:\windows\system32\carpserv.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DivX\\DivX Codec\\config.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-01-26 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-18 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-13 23888]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-07-07 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - frog.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
mWindow Title = Supanet Internet Explorer
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

c:\windows\system32\msvcrt.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\Housecall_ActiveX.dll
O16 -: {6E5A37BF-FD42-463A-877C-4EB7002E68AE}
hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
c:\windows\Downloaded Program Files\hcImpl.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-11 18:07:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
.
**************************************************************************
.
Completion time: 2008-12-11 18:11:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-11 18:11:06
ComboFix2.txt 2008-12-11 17:28:01

Pre-Run: 64,458,911,744 bytes free
Post-Run: 64,446,468,096 bytes free

148 --- E O F --- 2008-11-13 20:09:35

[sUBs]

c:\documents and settings\frog\desktop\8eb395f0d6f42882

Do you see this folder on the Desktop? If so, delete it

[phoenix_1275]

Hi there again

That folder is not sitting on the desktop. Checked through explorer and nothing is showing. Advanced search didn't pick it up either? sorry