Jump to content
Sign in to follow this  
wigwig86

Infected by Zlob - need removal advice

Recommended Posts

These are my logs from my system (note, this is a shared computer).

I do have UTorrent on it, but that was not installed by me, but by someone else.

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 6.0.6000

08/09/2009 11:07:22

mbam-log-2009-09-08 (11-07-15).txt

Scan type: Quick Scan

Objects scanned: 76509

Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 5

Memory Processes Infected:

C:\Windows\sc.exe (Trojan.FakeAlert) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security center (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken.

C:\Users\SharedPC1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> No action taken.

Files Infected:

C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> No action taken.

C:\Users\SharedPC1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Protection System\Live Support.lnk (Rogue.ProtectionSystem) -> No action taken.

C:\Users\SharedPC1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> No action taken.

C:\Users\SharedPC1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Protection System\Uninstall.lnk (Rogue.ProtectionSystem) -> No action taken.

C:\Windows\sc.exe (Trojan.FakeAlert) -> No action taken.

I still get the pornotube virus/spyware links on desktop at startup, and Protection System messages, plus my Microsoft Vista Home Edition control panel has completely disappeared.

Is this the Zlob trojan or a variant?

I installed Sandboxie so as for those who do download programs via utorrent to prevent viruses from getting on the system, but it seems someone forgot to use it that time.

Share this post


Link to post
Share on other sites

This is the Hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 12:07:59, on 08/09/2009

Platform: Unknown Windows (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16851)

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\EDIMAX\Common\RaUI.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Opera 10 Final\opera.exe

C:\Users\Adam\Desktop\HijackThis.exe

O1 - Hosts: ::1 localhost

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [skytel] Skytel.exe

O4 - HKLM\..\Run: [uSB2Check] RUNDLL32.EXE "C:\Windows\system32\PCLECoInst.dll",CheckUSBController

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [RegistryWm] C:\Windows\system32\qtwm.exe

O4 - HKLM\..\RunOnce: [

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.