Author Topic: Zlob Trojan Help please! (Read 5628 times)

VirusHater · « **on:** June 24, 2007, 01:39:18 PM »

I have scanned my comp with SpyNoMore and it found a lot of Spyware. The Spyware (Trojanvirus?) redirects me when I search for sites. Here is my HiJacklogfile. (from safemode)

Logfile of HijackThis v1.99.1
Scan saved at 14:28:34, on 2007-06-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program\SpyNoMore\SNM.exe
E:\Program\baloo\HijackThis.exe

O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\Program\ekort\Bhoekort.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Anti Virus Kapersky\AV Temp\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [e-kort] C:\Program\ekort\ekort.exe /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: desktop(2)(2).ini
O4 - Startup: desktop(2).ini
O4 - Startup: desktop(3)(2).ini
O4 - Startup: desktop(3).ini
O4 - Startup: desktop(4).ini
O4 - Global Startup: desktop(2)(2).ini
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: desktop(3)(2).ini
O4 - Global Startup: desktop(3).ini
O4 - Global Startup: desktop(4).ini

VirusHater · « **Reply #1 on:** June 24, 2007, 01:51:45 PM »

I forgot this.

SpyNoMore found these amongst others in these areas:

Zlob DNS : HKEY_LOCAL MACHINE/SYSTEM
kd???.exe (Hidden DNS Trojan): HKEY_LOCAL MACHINE/SYSTEM
Adware/BHO/Toolbar: HKEY.CURRENT USER

Don´t know if of any of this helps? Need directions! Thanx in advance:)

VirusHater · « **Reply #2 on:** June 24, 2007, 02:20:01 PM »

I scanned with Adaware 2007 and it found:

Infections found 3
Critical 0
Privacy Objects 3

and then scanned again with SpyNoMore that found once again Zlob and a lot of adware.

As total 25 items detected.

I´m lost here:(

VirusHater · « **Reply #3 on:** June 24, 2007, 05:25:03 PM »

Kaspersky Anti Virus can´t find anything. Is SpyNoMore just screwing me over?

SpyDie · « **Reply #4 on:** June 24, 2007, 05:42:20 PM »

SpyNoMore was a previously listed rogue application here:

http://spywarewarrior.com/rogue_anti-spyware.htm

Looks like it may be time for it to appear back on the list.

Does SpyNoMore keep any logfiles? Do you have any idea what ekort is?

VirusHater · « **Reply #5 on:** June 26, 2007, 07:41:06 PM »

Hi!

After cleaning under safemode with a couple of different programs I still seem to have that redirect prob. It was okey for a couple of days.

E-kort is swedish for internet paycard you can use on the internet to purchase stuff. Can´t be that. spynomore said the Trojan was in a HKML file?

Can anyone here help me?

winchester73 · « **Reply #6 on:** June 26, 2007, 11:22:42 PM »

The HJT log you posted was done in safe mode ... let's see one in normal boot.

Safe mode doesn't allow connecting to the Internet, so any re-direct may not be obvious.

Also, you didn't post your entire HJT log ^^^

VirusHater · « **Reply #7 on:** June 28, 2007, 01:14:11 PM »

I tried to connect to the forum yesterday but couldn´t. I don´t know if it was down? I´m at work at the moment but when I get home I will follow your instructions. Thanx for the help!

/Tony

SpyDie · « **Reply #8 on:** June 28, 2007, 01:31:58 PM »

By the way, yes, the forum was down yesterday.

VirusHater · « **Reply #9 on:** June 28, 2007, 04:05:39 PM »

Logfile of HijackThis v1.99.1
Scan saved at 18:01:12, on 2007-06-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program\ekort\ekort.exe
C:\Program\QuickTime\qttask.exe
C:\Program\SpyNoMore\SNM.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\OBroker.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Program\baloo\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.altavista.com/
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\Program\ekort\Bhoekort.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Anti Virus Kapersky\AV Temp\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [e-kort] C:\Program\ekort\ekort.exe /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SNM] C:\Program\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: desktop(2)(2).ini
O4 - Startup: desktop(2).ini
O4 - Startup: desktop(3)(2).ini
O4 - Startup: desktop(3).ini
O4 - Startup: desktop(4).ini
O4 - Global Startup: desktop(2)(2).ini
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: desktop(3)(2).ini
O4 - Global Startup: desktop(3).ini
O4 - Global Startup: desktop(4).ini
O9 - Extra button: e-kort - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program\ekort\ekort.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB6C0EEB-538C-4801-B9B3-01DA70DE7B0B}: NameServer = 85.255.116.29,85.255.112.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.29 85.255.112.134
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.29 85.255.112.134
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.29 85.255.112.134
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Anti Virus Kapersky\AV Temp\Kaspersky Anti-Virus Personal\kavsvc.exe

Is this the whole log?

SpyDie · « **Reply #10 on:** June 28, 2007, 07:43:23 PM »

Yes it is, you have a WareOut infection.

You may want to print out these instructions for reference, since you
will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it.

Click Next, then Install, then make sure Run fixit is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.

Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of
the logfile at: C:\fixwareout\report.txt

If you have internet connection problems after running the fix, please:

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

VirusHater · « **Reply #11 on:** June 30, 2007, 11:29:44 AM »

Here is the Fixwareout report:

Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdjdv.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.29" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BB6C0EEB-538C-4801-B9B3-01DA70DE7B0B}
"nameserver"="85.255.116.29,85.255.112.134" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BB6C0EEB-538C-4801-B9B3-01DA70DE7B0B}
"DhcpNameServer"="85.255.116.29,85.255.112.134" <Value cleared.

DNS-matcharens cacheminne har rensats.

System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KAVPersonal50"="C:\\Anti Virus Kapersky\\AV Temp\\Kaspersky Anti-Virus Personal\\kav.exe /minimize"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"e-kort"="C:\\Program\\ekort\\ekort.exe /dontopenmycards"
"QuickTime Task"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\\Program\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

The new HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 13:25:32, on 2007-06-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program\ekort\ekort.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\OBroker.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\WgaTray.exe
E:\Program\baloo\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://se.altavista.com/
O2 - BHO: e-kort Browser Helper Object - {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D} - C:\Program\ekort\Bhoekort.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [KAVPersonal50] C:\Anti Virus Kapersky\AV Temp\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [e-kort] C:\Program\ekort\ekort.exe /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: desktop(2)(2).ini
O4 - Startup: desktop(2).ini
O4 - Startup: desktop(3)(2).ini
O4 - Startup: desktop(3).ini
O4 - Startup: desktop(4).ini
O4 - Global Startup: desktop(2)(2).ini
O4 - Global Startup: desktop(2).ini
O4 - Global Startup: desktop(3)(2).ini
O4 - Global Startup: desktop(3).ini
O4 - Global Startup: desktop(4).ini
O9 - Extra button: e-kort - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\Program\ekort\ekort.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .pdf: C:\Program\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Anti Virus Kapersky\AV Temp\Kaspersky Anti-Virus Personal\kavsvc.exe

SpyDie · « **Reply #12 on:** June 30, 2007, 12:06:26 PM »

Looks good

How are things now?

VirusHater · « **Reply #13 on:** June 30, 2007, 01:01:35 PM »

Looks like you have solved the problem

I thank you soooooooooooooo very much!

I knew that I could count on this site

What can I do to prevent this to happen in the future?

And if it does, can I just use the Fixwareout prog and it will work?

SpyDie · « **Reply #14 on:** June 30, 2007, 09:24:32 PM »

http://www.landzdown.com/index.php?topic=2783.0

That topic lists easy things you can do to increase the security of the system.

The fixwareout program will only repair the WareOut infection. Your first line before attempting to post to a site with a HijackThis logfile should be scans from programs like AVG AntiSpyware and Spybot Search and Destroy. Although in the case with WareOut specfically, these sort of programs don't give much help.

It will never do any harm to post to a site though, describing the problem you are having. Someone will point you in the right direction

LandzDown Forum

News:

Author Topic: Zlob Trojan Help please! (Read 5628 times)

VirusHater

Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

SpyDie

Re: Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

winchester73

Re: Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

SpyDie

Re: Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

SpyDie

Re: Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

SpyDie

Re: Zlob Trojan Help please!

VirusHater

Re: Zlob Trojan Help please!

SpyDie

Re: Zlob Trojan Help please!