LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: Cherubs on August 08, 2006, 09:49:39 PM

Title: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 08, 2006, 09:49:39 PM
 Hi There, I'm new to these boards and hope you can help me. I've read some of the threads already and have already started the housecall scan.

I was trying to download a program last night for my daughter and ended up with windows everywhere and new icons on my desktop, (online scanner and security trouble center) I've already deleted objects from the registry and thought I'd gotton rid of it but this morning my NOD 32 eye came up saying it had found a varient of zlob in windows32 or something and had moved it to the chest so I'm guessing its still on my computer somewhere and I'd like to get rid of it completely.

 :help:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Ripley on August 09, 2006, 12:03:18 AM
Hi Cherubs!
and Welcome to Landzdown Forum!!

I am a member here and Not an expert, but one will reply shortly.  How did you make out with the Housecall scan?

Ripley
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: cannymum on August 09, 2006, 03:16:27 AM
G'day Cherubs,

Please follow the info given here  http://www.landzdown.com/index.php?topic=423.0 (http://www.landzdown.com/index.php?topic=423.0)   and post the log as a reply to this topic.

Thanks

p.s. Cherubs has run various scans, and now requires the assistance of the experts.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 09, 2006, 04:54:07 AM
Hi there and thanks for the welcome.

The housecall never got to finish its scan as when I walked away to get a coffee and came right back all windows had shut down.
I have since installed Avast and run it in safe mode which found 3 trojans. I am now running a Full Service Scan from the Windows Live Service Centre, I actually thought I had fixed the problem but already the scan it upto 6 virus with 8 detected items. Its been running for some time now. I have since taken the Avast off as I only wanted it to do the safemode scan for me as I run NOD 32. I will check the other link out shortly as soon as the kids give me a few moments to concentrate.

Thanks so much to everyone!!
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: cannymum on August 09, 2006, 04:56:04 AM
Cherubs,

I know you have been scanning your PC to within an inch of its life. Please don't even consider a reformat at the moment. The good folk here will help clean up any/all leftovers from this nasty infection.

Cheers
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 09, 2006, 05:01:37 AM
Canny I would never do a reformatt, I have way too much on here LOL!!

Here is a copy of the HighjackThis that I did last night. I will do another one if you like after the scan that is running but that could take some time I'm guessing. I have to take the kids to dance class now but will be back later on! Thanks again.....

Logfile of HijackThis v1.99.1
Scan saved at 9:56:49 PM, on 8/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\Program Files\Middleware\CmSkype.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CmSkype] "C:\Program Files\Middleware\CmSkype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: ! Snipeville.Com - http://www.snipeville.com/ebay_add2.php
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.au
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.2.7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://littlecherubs.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/download/scanner/en-us/wlscbase3401.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131964732390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: SpyDie on August 09, 2006, 01:21:29 PM
For one, you have two anti-viruses running. I think you may be getting confused also. AVG offers a 'chest', NOD32 doesn't. NOD32, if told to, will quarantine files but has no reference to a 'chest' - AVG does however.

So, with that said, could you scan with the antivirus that you are using, and post the logfile from it please? Uninstall one of them also, having two antivirus resident isn't a good idea at all.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 09, 2006, 01:28:15 PM
LOL ... SpyDie beat me to it ...

I suspect NOD32 is 'seeing' the item in the AVG chest.

You have a lot of security programs running simultaneously. Ewido, SpyHunter, and SpyBot's Teatimer ...

Also, your Java is a few updates behind.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Paddy on August 09, 2006, 05:45:24 PM
Also, Did you install MessengerPlus! 3

C:\Program Files\MessengerPlus! 3\MsgPlus.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
are did the kids install it ? As it can come bundled with spyware…

numbnuts..
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 09, 2006, 07:34:04 PM
Good Morning (well it is here)

That scan that I did last night was not long after it happened and I had loaded AVG so I could do a safe mode scan. I ended up taking the AVG off straight after putting it on as it wasn't the one I was thinking of. It was Avast, so I installed that, did the scan in bootmode and then took it off as I know you cant have 2 running. It found 2 items in system restore and then the zlob which I was after. Through the night I ran a Windows Live Scan, before I went to bed it said it had found 6 virus with 9 detected objects but this morning on waking there was no log of what it had found, just said it was finished so I'm hoping it just took them off for me.
As for Messenger 3, only I use this computer, I have windows live messenger, is there something on there I need to get off.
All those other other programs are ones I was told to install last night. I've taken some of them off already as they were asking for me to register etc.
Its all so much I dont even know where I'm upto with all this.
I've also taken off Spybots teatimer.
Question: What is Winlogon.exe. I notice thats now one of my running processes. It kept coming up in a box from spybot yesterday before I took of the teatimer thing saying I had denied changes and I have no idea if I did the right thing or even what I did as at the time everything was happening so fast.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 09, 2006, 07:38:42 PM
Good Morning (well it is here)

That scan that I did last night was not long after it happened and I had loaded AVG so I could do a safe mode scan. I ended up taking the AVG off straight after putting it on as it wasn't the one I was thinking of. It was Avast, so I installed that, did the scan in bootmode and then took it off as I know you cant have 2 running. It found 2 items in system restore and then the zlob which I was after. Through the night I ran a Windows Live Scan, before I went to bed it said it had found 6 virus with 9 detected objects but this morning on waking there was no log of what it had found, just said it was finished so I'm hoping it just took them off for me.
As for Messenger 3, only I use this computer, I have windows live messenger, is there something on there I need to get off.
All those other other programs are ones I was told to install last night. I've taken some of them off already as they were asking for me to register etc.
Its all so much I dont even know where I'm upto with all this.
I've also taken off Spybots teatimer.
Question: What is Winlogon.exe. I notice thats now one of my running processes. It kept coming up in a box from spybot yesterday before I took of the teatimer thing saying I had denied changes and I have no idea if I did the right thing or even what I did as at the time everything was happening so fast.

 :wasntme:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 09, 2006, 07:40:25 PM
Oh Shoot its showing me practing how to use these boards, sorry guys!! I didn't know it was going to post again, I'm just trying to see what everything does LOL.....

 :mitch:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 09, 2006, 07:43:16 PM
Is this what you meant me to do. I just ran Highjackthis again. Here are the results....

Logfile of HijackThis v1.99.1
Scan saved at 6:43:00 AM, on 10/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\Program Files\WinClamAVShield\sp_clam.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CmSkype] "C:\Program Files\Middleware\CmSkype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: ! Snipeville.Com - http://www.snipeville.com/ebay_add2.php
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.au
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.2.7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://littlecherubs.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131964732390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: GR@PH;<'S on August 09, 2006, 08:12:45 PM
Cherubs,
Quote
Oh Shoot its showing me practing how to use these boards, sorry guys!! I didn't know it was going to post again, I'm just trying to see what everything does LOL.....  :mitch:
No problem but may I suggest that you go play in the
Test Forum (http://www.landzdown.com/index.php?board=15.0)
while you are waiting for your answers to this.
and if you find you need help with any of the tabs just ask and some one will help you.

GR@PH;<'S   :Hammys pint:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Paddy on August 09, 2006, 08:18:50 PM
Good Morning (well it is here)

As for Messenger 3, only I use this computer, I have windows live messenger ]

As for messenger 3 plus it has nothing to do with Messenger live its a different programe ...

Read this ....
http://www.neuber.com/taskmanager/process/msgplusloader.dll.html

As I'm not a HjT expert I will leave it to them to sort it out for you just thought it strange to have the two programes  the same time ...


numbnuts ...
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: SpiritWind on August 09, 2006, 10:23:01 PM
 :D  Hi Cherubs :

      Many times the "MessengerPlus! 3" is the LOP spyware unless the spyware
     "component" has been "neutralized"; if you know nothing about this program
      More than likely it should be uninstalled UNLESS one of the Experts here suggest
      an alternative .
      Concerning antivirus programs : you know about having only 1 "resident"
      program ; if you want to run other antivirus programs it is best to run their
      ONLINE Scanner(s), not download,install, update then run in "safe mode" .
      And as mentioned earlier, your Sun Java is 5 Updates behind; therefore, it is a
      serious security risk . Recommend you uninstall it, then go to www.java.com
      and get their latest; perhaps this should be done AFTER the experts get you
      clean !?
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 09, 2006, 11:36:29 PM
Well I have no idea if I've been doing the right thing. I took the java off, from my add and remove programs (hope that was right) there was J2SE Runtime Enviroment 5.0 Update 1 which was 117MB and then another one called Update 2 which was the same size.
I then installed from the last link given but it said there was an error during installation. I just started a game on my computer and could see everything so hope all is ok.


I just did the verify page for java and its installed but I cant see one picture, and it says I have to install the plug in, so I go to do that and it says I already have it and to take it off and reinstall again, I'm not going to do anything now until someone comes along to help. Will leave my computer and come back in an hour or so.

Ciao
Title: Latest Sun Java
Post by: SpiritWind on August 10, 2006, 06:01:03 AM
 :D  Hi :

      I just went to www.java.com/en and clicked "Manual Download" and saw :

     "Java Runtime Environment Version 5.0 Update 6" ( Should be Update 7 ) .

     With Sun Java, should always uninstall any "Update" that is NOT the last one ;
     so you were correct to uninstall, from Add/Remove Programs, "Update 1" and
     "Update 2". Since you are unsure as to IF you have installed their latest, you can
      look in your Add/Remove Programs to see if there is an "Update 6" or "Update 7".
      Can also go to Internet Options, then click "Advanced" and look down the menu
      for "Java" and see what it says there; if the "box" is unchecked, should put a
      "check" in the box ( assuming it says "Sun" ) .
     
     
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: SpyDie on August 10, 2006, 02:27:28 PM
The HijackThis logfile looks OK, except for a few orphaned entries. Fix thsse entries but running a new scan and in the results window, check the boxes beside the entries I list and then click 'Fix'. It's that simple :)

F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)


They won't really change much on the system at all.

So does anything report any instances of the 'Zlob' trojan anymore? Also, it is highly recommended to keep your Java version up to date as SpiritWind has said.  :)

Oh and Winlogon.exe is the Windows Logon Manager. Without you can't logon or off ;)
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 10, 2006, 07:07:53 PM
Hi Again,

Thanks for your last post! I've just done what you said. Here is a copy of the latest scan. Could anyone please check to see if the Java is on it and updated. Its giving me an error 1722 and wont install properly, I tried the manual install also. But I'll try someone else's advice as soon as I get a free hour to play with. I think someone left a post for me yesterday which I'm still to follow so thanks heaps for that.

Heres the log I just did....

Logfile of HijackThis v1.99.1
Scan saved at 6:06:29 AM, on 11/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\Program Files\Middleware\CmSkype.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WinClamAVShield\sp_clam.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CmSkype] "C:\Program Files\Middleware\CmSkype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: ! Snipeville.Com - http://www.snipeville.com/ebay_add2.php
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.au
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.2.7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://littlecherubs.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131964732390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thanks again to everyone, you are all fantastic!! I'd be lost without you all.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 10, 2006, 07:15:52 PM
I don't see the O4 item relating to [SunJavaUpdateSched] and jusched.exe ...

You might try verifying the installation:  http://www.java.com/en/download/installed.jsp

If there is an installation error, you might try uninstalling Java again, and then trying to do a fresh upgrade to the newest version.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 10, 2006, 07:17:36 PM
If you need the direct link:  http://www.java.com/en/download/windows_ie.jsp
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 10, 2006, 07:33:28 PM
Thanks heaps for that. I have to take my daughter out to dance comps all day today so I'll have to give it another go when I have time to think with no interuptions. I tried uninstalling yesterday and starting from scratch so hopefully the links you've given me are different. Here is the message I kept getting:

There is a problem with this Windows installer package. A program run as part of the setup did not finish as expected. Contact your support personnal or package vender.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 10, 2006, 07:57:05 PM
Quote
Q: I encountered the following error when running the J2SE installer:

This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.

A: There are several possible reasons:

Proxy server requires authentication;
network connection fails;
download manager software interrupts the download process, e.g., GetRight;
TSR (Terminate and Stay Resident) programs, like Norton AntiVirus, may distract the installation process.
To address these problems, please make sure third-party downloader/TSR programs are turned off and the network connection is setup properly.

Quote
Q: Error 1722. There is a problem with this windows installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vender.

A: This is caused by previous unsuccessful install/uninstall of software through MSI engine. This problem will usually disappear if the users run the installer again.



Source:  http://java.sun.com/j2se/1.4.2/docs/guide/deployment/installation/windows/iftw-update/faq.html

... refers to an old version, but maybe helps?  The second reference seems to indicate the Add/Remove didn't work properly.  Maybe running it a second time will do the trick?
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 10, 2006, 08:02:28 PM
Found this:  http://www.java.com/en/download/help/error_1722.xml

Complete instructions found here ... should do the trick.

 :D
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 11, 2006, 11:38:14 AM
Hi again,

Heres the scan I just did, thought I'd post one more to check if everything is still ok. There seems to be no more zlob that thats good. But I still cant get java to install correctly, will have to tackle that one again tomorrow.

Logfile of HijackThis v1.99.1
Scan saved at 9:39:19 PM, on 11/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\Program Files\Middleware\CmSkype.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\WinClamAVShield\sp_clam.exe
C:\WINDOWS\system32\wisptis.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CmSkype] "C:\Program Files\Middleware\CmSkype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: ! Snipeville.Com - http://www.snipeville.com/ebay_add2.php
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.au
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/126p/html/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.2.7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://littlecherubs.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131964732390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 11, 2006, 11:39:04 AM
Spiritwind - I never found it down the list under internet options??
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 11, 2006, 12:28:53 PM
I think this Java page will do the trick:  http://www.java.com/en/download/help/error_1722.xml
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 11, 2006, 09:42:36 PM
 :( Well I've been at it since I got up, I've tried both the different ways and I am still getting the 1722 message. I have no traces of any viruses anymore which is good but for some reason am unable to get java back on. I've followed all the links to all error messages so its no use showing me those, I now need someone thats maybe gone through it themselves. I'm stuck!! I"ve uninstalled I dont know how many times. The only thing different from what the all the help pages said of the name of the file, on the page links you've all given me it says the file name should be 1.4 something but the one you get is 1.5 which I'm guessing is the latest download. I haven't even found a 7 one which someone mentioned. Please Help!!
Title: Sun Java & "Error 1722"
Post by: SpiritWind on August 12, 2006, 04:18:07 PM
 :D  Hi Cherubs :

      Regarding your "Error 1722", I believe the best info is at :

      http://www.java.com/en/download/help/5000040100.xml .

      Since the Error Message is about "Windows Installer Package", look in your
      Add/Remove Programs and let us know if either "Windows Installer 3.1
     ( KB893803 ) " or "Windows Live Safety Scanner     1.06 MB" are there !?
       If & when you have the latest & current Sun Java, it should say :
      "J2SE Runtime Environment 5.0 Update 7" in your Add/Remove Programs, though
       I am puzzled WHY it says "Update 6" on the Java site !?
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Corrine on August 12, 2006, 05:30:22 PM
Actually, the current Java is J2SE Runtime Environment 5.0, Update 8.

Update Java
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 12, 2006, 07:47:27 PM
HI Spirit,

Thats the same link I've been following all along. I've have done everything on that page. I have just checked my add/remove programs and have both the Windows Installer Package and the Windows Live Safety Scanner so I'm stumped as is everyone else :confused:
The computer seems to run fine without though but I'm guessing there is going to come a time where I will need it so would like it back on. After every try it has so far never said update 7 in my add and remove programs. And after every try it always gives me the same message and then goes on to say my computer has not been modified but its always there in add remove though.
Hope you are not all giving up on me. I'm sure we must be able to work this out :wub:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 12, 2006, 07:49:26 PM
Hi Corrine, I missed your post, I only just saw it now. Thankyou so much for that, I will give that ago when I get back this morning. And come back and let you know how I go so please check back. :rose:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Corrine on August 12, 2006, 09:02:24 PM
Okies, Cherubs.  We'll certainly be here.  If not, you know Cannymum will give us what for!  :lol:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 12, 2006, 09:18:48 PM
Hey Corrine I like your personal message LOL, thats the song my daughter wants to sing for the school Talent Quest "Everything is coming up Roses" My son just did the show gypsy where that was one of the songs!!

I'll be back shortly after there singing lessons to tackle that Java :?
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Corrine on August 12, 2006, 10:58:02 PM
Thanks.  Since my avatar is a rose and my hobby is "security", with some gardening thrown in, that is the name of my blog, That's actually a link to it.

Yup, I know what its like with kids and their activities.  My daughter was a cheerleader and involved in sports and school clubs.  My son was also in sports, the band, marching band, and performed in school musicals.  The biggie was when he had the lead in "Music Man". 
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 12:14:40 AM
SHOOT SHOOT SHOOT I'm really starting to get over this. I downloaded the link which was all good and was the right version "8" etc but the same thing happening half way through installing. That same message came up. So once again its in my add and remove but not fully installed I guess.....
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 12:38:39 AM
 :confused:

Aggggh I've just been to the verify page and it still says I need additional plugins to see everything on the page and when you click on the link it gives it takes you to the update 6 link but in my add/remove programs I clearly have 8 even though it didn't download and ended with errors. This is really driving me nuts.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 01:19:06 AM
Winchester73 I don't see the O4 item relating to [SunJavaUpdateSched] and jusched.exe ...

Could my problems have anything to do with what windchester said, above.....
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 08:49:14 AM
I want my java back :(
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: SpyDie on August 13, 2006, 09:20:39 AM
Could you do something please? Open HijackThis, click 'Open Misc Tools section', then click 'Open uninstall Manager'. Click the button 'Save List'. Save it somewhere (for example C:\ or the desktop). Once you have saved it, it'll open automatically. Post what is in that Notepad Window please.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 09:23:29 AM
OK Will do it now....
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 09:31:26 AM
ACDSee 6.0 PowerPack
Ad-Aware SE Professional
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
ArcSoft Software Suite
Ares 1.8.8
Better File Rename 4.7.1
Canon CanoScan Toolbox 4.1
Canon PhotoRecord
Canon PIXMA iP6000D
Canon PIXMA iP6000D Memory Card Utility
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CanoScan LiDE20,30 Manual
CCleaner (remove only)
CD-LabelPrint
Direct MIDI to MP3 Converter 2.0
DivX
DVD Shrink 3.2
DVD Solution
DVD43 v3.7.0
EasyCleaner
Easy-WebPrint
eBay.com.au - Skype 2.5
ewido anti-spyware 4.0
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Huffyuv AVI lossless video codec (Remove Only)
iTunes
J2SE Runtime Environment 5.0 Update 8
Jasc Animation Shop 3
Jasc Animation Shop 3 20041030_07 Help file Patch
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
JascUpdate
LimeWire PRO 4.10.0
LiveUpdate BVRP Software
Logitech Desktop Messenger
Logitech iTouch Software
Macromedia Flash Player 8
Macromedia Shockwave Player
MailWasher Pro
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Premium
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Middleware
mobile PhoneTools
MotionDV STUDIO 5.3E LE for DV
Mozilla Firefox (1.5.0.6)
muvee Pro Classic StylePack
Nero Media Player
Nero OEM
NeroVision Express 2
NeroVision Express Content
NOD32 antivirus system
PowerDVD
PowerProducer
QuickTime Alternative 1.70
Realtek AC'97 Audio
SD Viewer for DSC
Security Task Manager 1.6f
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
SiS661FX
Spybot - Search & Destroy 1.4
Spyware Terminator
Turbo Lister
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
vanBasco's Karaoke Player
Video Stream Driver for Panasonic DVC
Virtual Painter
Webshots Desktop
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Safety Scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Series Winter Fun Pack
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip

Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 09:50:23 AM
In that page of highjack this can I completely uninstall something from there. I can see programs I didn't even realise I had like easycleaner. But when I uninstall from the add remove page it says setup needs to close.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 11:08:24 AM
Oh dear, this is not good, my limewire is now not opening because of the java, why didn't I just leave the old version on that was there.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 13, 2006, 04:44:33 PM
Just to confirm that it isn't something obvious ...

Have you ever re-booted your computer during this thread?  Sometimes uninstallers require a re-boot in order to fully eliminate items.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 13, 2006, 04:46:43 PM
In that page of highjack this can I completely uninstall something from there. I can see programs I didn't even realise I had like easycleaner. But when I uninstall from the add remove page it says setup needs to close.

You can remove the entries themselves, but not any files/folders/etc associated with them.  It simply manages the 'Add/Remove Software' list.

Tutorial here:  http://www.bleepingcomputer.com/tutorials/tutorial42.html#uniman
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 07:57:24 PM
Morning All.....

Yep I've rebooted several times. Its really getting to me now. I want my limewire back :( It says I have java in my add/remove programs but during installation it said the 1722 error so my computer was not modified, cant figure out why it even says it in the add remove side if its not even there. Then when I go to install it it brings up the older version, its just a big cycle of nothing!!
Cant wait to get this back on track.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: SpyDie on August 13, 2006, 08:12:02 PM
If you try and remove it, you get the same error yes?
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: GR@PH;<'S on August 13, 2006, 08:15:32 PM
Cherubs,
The best thing I recommend that you do is to get your PC clean of Spy/Malware
then once your clear re-install it or you could try Shareaza (http://www.shareaza.com/)
But after you have installed it run another scan with Ad-aware to make sure that you are still clean

GR@PH;<'S   :Hammys pint:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 08:17:47 PM
Are you talking about the java? I've removed it several times. I've followed the online instructions and rebooted, but each time I try to re download I keep getting this error message about the windows installation package and that it has not been succesfully downloaded, I'm starting to get stressed as I want it fixed, Please can you help me :wub:

GR@PH;<'S - my computer is now clean and all trojans are long gone :D
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 08:21:13 PM
GR@PH;<'S - Oh cool I just checked that site out. So its like limewire is it?? I use it to get the kids dancing music from so would be really lost without out. They quite often need backing tracks to sing too etc.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Paddy on August 13, 2006, 08:32:50 PM
Can you check inside add / remove programes that you have the windows installer 3.1 (KB893803) please ?
and let us  know what verson you have ..

numbnuts ...
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 08:35:00 PM
ACDSee 6.0 PowerPack
Ad-Aware SE Professional
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
ArcSoft Software Suite
Ares 1.8.8
Better File Rename 4.7.1
Canon CanoScan Toolbox 4.1
Canon PhotoRecord
Canon PIXMA iP6000D
Canon PIXMA iP6000D Memory Card Utility
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CanoScan LiDE20,30 Manual
CCleaner (remove only)
CD-LabelPrint
Direct MIDI to MP3 Converter 2.0
DivX
DVD Shrink 3.2
DVD Solution
DVD43 v3.7.0
Easy-WebPrint
eBay.com.au - Skype 2.5
ewido anti-spyware 4.0
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Huffyuv AVI lossless video codec (Remove Only)
iTunes
J2SE Runtime Environment 5.0 Update 8
Jasc Animation Shop 3
Jasc Animation Shop 3 20041030_07 Help file Patch
Jasc Paint Shop Pro 9
Jasc Paint Shop Pro 9 GDI+ Patch
JascUpdate
LimeWire PRO 4.10.0
LiveUpdate BVRP Software
Logitech Desktop Messenger
Logitech iTouch Software
Macromedia Flash Player 8
Macromedia Shockwave Player
MailWasher Pro
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Premium
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Middleware
mobile PhoneTools
MotionDV STUDIO 5.3E LE for DV
Mozilla Firefox (1.5.0.6)
Nero Media Player
Nero OEM
NeroVision Express 2
NeroVision Express Content
NOD32 antivirus system
PowerDVD
PowerProducer
QuickTime Alternative 1.70
Realtek AC'97 Audio
SD Viewer for DSC
Security Task Manager 1.6f
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
SiS661FX
Spybot - Search & Destroy 1.4
Turbo Lister
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
vanBasco's Karaoke Player
Video Stream Driver for Panasonic DVC
Virtual Painter
Webshots Desktop
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Safety Scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Series Winter Fun Pack
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip

Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 08:36:41 PM
Well I can see it in the list above numbnuts and it looks the same as what you said....

What shall I do now??
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Paddy on August 13, 2006, 08:38:50 PM
Post a fresh HjT logfile for the HjT experts to look at sorry it not my field ...HjT please post a new log ..

numbnuts... :thumbsup:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: GR@PH;<'S on August 13, 2006, 08:41:03 PM
Cherubs,
As you use a P2P to get files and so on please make sure that you scan every download for trojans  & Viruses as well as Spy/Malware.

GR@PH;<'S   :Hammys pint:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 09:19:39 PM
Already did that, just posted the above list for Spydie. So crossing fingers here that he can come up with something.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Corrine on August 13, 2006, 10:44:33 PM
Hi, Cherubs. 

From your HJT log posted 11 August, I note C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe.  Personally, I would select a tool that wasn't on the Rogue List, even though Spyware Terminator has supposedly cleaned up their act.  Based on the problems you've had, who's to say that isn't the reason?  Its your choice, of course.

Quote
Note on SpywareTerminator:  We originally listed Spyware Terminator on this page out of concerns that Crawler, the company behind the product, had established connections with IBIS, a well known adware distributor responsible for such adware programs as Wintools, Websearch, & Huntbar. Although we found no problems in our initial testing with Spyware Terminator, and while the vendor itself announced that it was exiting the adware business (1), we decided out of caution to impose a three month probation period before we would consider re-testing and, if warranted, de-listing the the product from the Rogue/Suspect list. During that three month probation period we monitored the behavior of IBIS and Crawler. At the end of the three month probation period we re-tested Spyware Terminator, again finding no problems serious enough to justify listing the program on this page. As the vendor involved has not been involved in the distribution of adware for many months, and as the program itself exhibits no problems serious enough to warrant mention on this page, we have decided to de-list Spyware Terminator from the Rogue/Suspect list and can no longer regard the program to be "rogue/suspect."
http://www.spywarewarrior.com/rogue_anti-spyware.htm#spyterm_note

Let's do a bit more cleanup.

A.  Scan with HijackThis, check the following and select "Fix Checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/126p/html/gtdownlr.cab


B. I don't like the looks of this:  O20 - AppInit_DLLs: ,.  Don't remove it yet, but instead update ewido and run a new scan.

Please make sure you use these ewido settingsNext, please reboot your computer in SafeMode by doing the following: Scanning and system cleaning with ewido. 
C.  Restart in normal mode and post the ewido log and a fresh HijackThis log. 
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 10:48:05 PM
Hi Corrine, I'm glad you said that about Spyware Terminator as I uninstalled it this morning before your post. I only put in on while I was getting rid of the zlob trojan and felt I had way too much on here now. Over that time that I had the trojan I must have downloaded about 6 or 7 different programs which I've now taken off except for the highhack and ewido ones. I also have my usual ones though, adaware and spybot still on here plus my nod32.

I'll do what you said right away.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 10:57:56 PM
Under "Reports"

    * Select "Automatically generate report after every scan"
    * DE-Select "Only if threats were found"
    * close ewido

Did you mean Corrine for me to tick the "only if threats were found" box, I wasn't sure what DE-Select meant
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Corrine on August 13, 2006, 11:25:30 PM
Yes, deselect that box, please.  I want to see what ewido has to report, even if it doesn't find anything.

Thanks. 

(P.S. With our time zone differences, it may be your tomorrow morning before I have a chance to take a close look at what you post.  However, its possible SpyDie or Winchester73 will be here first.)
Title: Limewire
Post by: SpiritWind on August 13, 2006, 11:35:56 PM
 :D  Hi Cherubs :

      Dislike throwing "cold water" on Limewire, but back in Apr there was a thread on
      castlecops about Limewire containing a rootkit ; see :

     www.castlecops.com/postlite153185-limewire.html .

      Seems safer to use Shareaza from www.shareaza.com than Limewire !?
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 13, 2006, 11:39:06 PM
Things are getting worse and I'm really starting to stress out (insert tearful icon) I now cant open my internet banking because of the java. I need to get this all sorted quickly as my ebay customers will not be happy!! I just dont know what to do next....
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 14, 2006, 12:32:25 AM
It showed up nothing in the safe mode scan which I didn't think it would as I had already run a scan earlier that morning which found some medium threat objects.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 14, 2006, 03:57:42 AM
Just wanted to let you all know that my problems are all sorted now. Thanks to everyone that helped, its been a long week!!

I ended up ringing my computer shop and asking them what they thought, he said I'd done nearly everything possible (thanks to you guys!) We even tried downloading a program that had java on it (limewire) which also didn't work.

In the end I reloaded windows xp under the repair 2 mode, which kept all my settings and files etc. I cant believe its all back to normal now :D

Hugs and Thanks to everyone that took the time to help me  :flowers:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Tarnak on August 14, 2006, 04:29:23 AM
 Glad you got it sorted  Cherubs  :hysterical:

  Since I spent about 4 hours preparing this post, I might as well post as a training exercise   :lol:


 I have been following this thread, and I suggest the following:
 
 


 1. Uninstall Java JRE 1.4..? (or 1.5..?) version  via  Add/Remove

programs.

 2.Reboot

 3.Ensure that all the Java directories that may be installed Java to in \

Progam  Files are deleted.

    ......Usually in C:\Program Files\Java

       .......see http://img1.yoxio.com/img/250695.gif
 
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg1.yoxio.com%2Fthumb%2F250695.jpg&hash=9bb720ef1f02f96b3039658fd1cf4ae582b82643) (http://img1.yoxio.com/view/250695.htm)
10kb - View Full Image (http://img1.yoxio.com/view/250695.htm)

 4. You may have to delete this folder(Not sure)in this location:


   C:\Documents and Settings\<username>\Application Data\Sun



(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg1.yoxio.com%2Fthumb%2F250696.jpg&hash=43240e71982a31e4bce9e6519d304c9dd78d3cb8) (http://img1.yoxio.com/view/250696.htm)
9kb - View Full Image (http://img1.yoxio.com/view/250696.htm)

 5.Download and install the following utility
       
   see....http://support.microsoft.com/default.aspx?kbid=290301







   After it's installed run it. (I installed this utility in my C:\Program

Files)....(For others it my be a shortcut on your Start Menu).

   This utility will display a list of programs installed through Windows

Installer. If you find any entries for Java Runtime Environment in the

"Installed Products" listing, select it/them, then hit "Remove" and let the

cleanup utility do its thing.(Note: this utility merely cleans up Windows

Installer Registry data for the selected products; it does not perform a

full uninstall of the products.)

........http://img1.yoxio.com/img/250707.gif

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg1.yoxio.com%2Fthumb%2F250707.jpg&hash=05d9b23e31e4fef1c48a061035bae317c0e20b5a) (http://img1.yoxio.com/view/250707.htm)
27kb - View Full Image (http://img1.yoxio.com/view/250707.htm)


 6.This might not be applicable.(Not in my case, probably not in you case

either) Look in the following folder:

        C:\WINDOWS\Downloaded Installations

  You should see one or more sub-folders wih names like:

  {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

 In each sub-folder will be an .MSI file. For each .MSI file, right click

and bring up properties. Look at the Summary tab for indication for

indications that the MSI is an installer for Sun Java.
 If you find any Sun Java .MSIs, delete the sub-folder and the file (not

the main \Downloaded Installations folder).

 7. Delete any folders named thusly in the root of C:
      (Note! This also might not be applicable)

  C:\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

 8. Reboot
   

 xxxx PLEASE NOTE!!!!   I am not an expert.......so please do not act on this

advice for the moment. Not until there is further input from the much  more

knowledgeable folk in these forums .


Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 14, 2006, 05:32:35 AM
WOW Tarnak you have done some research and thankyou very very much for doing all this for me - Mwah!!! I still cant believe after 7 days I have everything sorted and back to normal. I was starting to get quite teary this afternoon when my banking wouldn't open. I didn't know what I was going to do next.

 :rose:
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: winchester73 on August 14, 2006, 12:21:47 PM
If you have the strength, post a fresh HJT log for examination ...

Glad things got sorted out.  Sorry it wasn't a quick solution.
Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 14, 2006, 10:44:31 PM
Morning Everyone, well things are running great but here are the results of this mornings ewido scan and this was after deleting these same ones on spybot just prior to running this one. Does this mean that spybot never got rid of them???

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   9:27:22 AM 15/08/2006

 + Scan result:   



C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.68:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\q0xcam27.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.


::Report end

Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: Cherubs on August 14, 2006, 10:49:57 PM
Hijack log taken just now....

Logfile of HijackThis v1.99.1
Scan saved at 9:51:03 AM, on 15/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\Program Files\Middleware\CmSkype.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CmSkype] "C:\Program Files\Middleware\CmSkype.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Minder Reminders.lnk = C:\HALLMARK\EMREMIND.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: ! Snipeville.Com - http://www.snipeville.com/ebay_add2.php
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.2.7.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://littlecherubs.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131964732390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com.au/chat/RSVPChat.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Title: Re: Oh Darn!!! I have the Zlob trojan - HELP Please....
Post by: normmork on August 15, 2006, 07:56:45 PM
To answer one of your questions this line
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Starts
Windows Genuine Advantage Validation Tool

for more info see here
http://support.microsoft.com/?kbid=921914
Title: Cookie "Remover"
Post by: SpiritWind on August 16, 2006, 02:18:54 AM
 :D  Hi Cherubs :

      That's quite a "collection" of cookies Ewido found; do not know if you "save" any
      of your cookies, but if you do not, consider using antiSPYWARE Expert "ATribune"
      "ATF Cleaner" available from http://www.atribune.org/content/view/19/2/ .
       It can easily rid you of both IE AND Firefox cookies .