5 replies to this topic

[jlaboss]

I need help with my work computer, believe it or not. Our IT support is shoddy at best. This Win32.Trojandownloader.Zlob keeps coming up on my AdAware scan. I think the file is gone but the reg key is still there. Lord knows what else is on this machine (it's a shared computer). Log file will follow... Thanks, Jennifer

[jlaboss]

Logfile of HijackThis v1.99.1
Scan saved at 10:56:27, on 02/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\SYSTEM32\MsgSys.EXE
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WallData\SYSTEM\BrskStrt.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jlabossi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://business.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fwdsa001/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://business.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://business.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ITSSSA012:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.one.ads.che.org;eafwdns01;168.112.104.12;168.112.104.72;fwd-apps1;168.112.104.18;csg.dhss.delaware.gov;168.112.104.102;10.240.174.101;168.112.104.39;199.26.210.35;199.26.211.*;cheess.che-ma.org;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\Media-Codec\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: FWD Intranet.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Startup: FWD Intranet.url
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RUMBA Lightning.lnk = C:\Program Files\WallData\SYSTEM\BrskStrt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: MIW Deployment - https://fwdrad.che-e...s/MIWDeploy.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...aq/novadaq.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cedaron.webe...bex/ieatgpc.cab
O16 - DPF: {EBE67253-D4EA-11D3-845A-00500483D287} (ImageViewer Class) - file://D:\vwr_data\dcm_vwr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = one.ads.che.org
O17 - HKLM\Software\..\Telephony: DomainName = one.ads.che.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{D934C79B-242C-46D7-AB0B-DD91FF1368B6}: NameServer = 10.66.4.14,168.112.104.69,168.112.104.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = one.ads.che.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = one.ads.che.org
O21 - SSODL: hubbsi - {7b1eeccd-0a6d-4ad5-8ac1-4af5722b3885} - C:\WINDOWS\system32\vwlummc.dll (file missing)
O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Corporation - C:\WINDOWS\system32\slClient.exe
O23 - Service: TMA Distribution - Unknown owner - C:\WINDOWS\system32\cba\lcfinst.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Win32Sl - Intel - C:\dmi\win32\bin\Win32sl.exe
O23 - Service: Intel Remote Control Service (Wuser32) - Intel Corporation - C:\LDClient\wuser32.exe

[jlaboss]

One more thing while I have your attention: I get an error when I run Hijack This. An unexpected error has occurred at procedure: modMain_CheckOther1Item() Error #75 - Path/File access error Please email me at merijn@spywareinfo.com, reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.01.2600 MSIE version: 6.0.2900.2180 HijackThis version: 1.99.1 This message has been copied to your clipboard. Click OK to continue the rest of the scan. Before this saves to my clipboard, I get an error telling me to change a registry myself... any ideas what this means? Jennifer

[beynac]

Hi Jennifer.

Welcome to TomCoyote forums. I'm sorry that you have not had a response. The reason is that you replied to your own thread and we look for threads with zero replies. I'm not sure what the problem is with HijackThis but, I suggest that you delete the version on your desktop and download a new one. This installs in its own folder which means that the backups are kept safe:

Please download HJTsetup.exe from here and save it to your desktop.

• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Close HijackThis (we don't need it at the moment)

----------------------------------------------------------

SmitFraudFix (by S!Ri)

• Please download SmitFraudFix from here and save it to your Desktop.
• Double-click on Smitfraud.exe - this will create a SmitfraudFix folder.
• Open the folder and double-click smitfraudfix.cmd
• Select option #1 - Search by typing 1 and press Enter - a text file will appear, which lists infected files (if present).

Do not run any of the other options at this stage.

Please copy/paste the content of the report (c:\rapport.txt) into your next reply. Also could you let me know whether this address relates to your work: one.ads.che.org

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a 'RiskTool'; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert the user.

[beynac]

It's been a few days since I posted. Do you still want help with this?

[beynac]

This thread has been closed due to a lack of response. If you need help, please start a new thread in the HijackThis forum and post a new HJT log.