Gmswjambo Posted October 12, 2008 ID:30652 Share Posted October 12, 2008 Hi, hope you can help. Norton Antivirus told me that I had a Trojan.Zlob today - although my McAfee system did not give me an alert about it. I then initiated a scan using the McAfee system and it returned nothing. Still concerned, I downloaded Malwarebytes and initiated a full scan, and it returned no baddies. Could it be possible that the Trojan evaded Malwarebytes or do you think the Norton scan was a false alert? This was the mbam script:12/10/2008 23:20:19mbam-log-2008-10-12 (23-20-19).txtScan type: Full Scan (C:\|D:\|E:\|)Objects scanned: 142602Time elapsed: 1 hour(s), 3 minute(s), 3 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
nosirrah Posted October 12, 2008 ID:30656 Share Posted October 12, 2008 We have the fakealert/zlob families locked down good , likely the best of any application out there .Only way to know for sure though would be to see a Hijackthis log .Download and run Hijackthis :http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exeChoose the "Do a system scan and save a logfile" option .Copy and paste the log into your next post . Link to post Share on other sites More sharing options...
Gmswjambo Posted October 13, 2008 Author ID:30688 Share Posted October 13, 2008 We have the fakealert/zlob families locked down good , likely the best of any application out there .Only way to know for sure though would be to see a Hijackthis log .Download and run Hijackthis :http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exeChoose the "Do a system scan and save a logfile" option .Copy and paste the log into your next post .Thanks for the very swift reply! Here is the HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:40:23, on 13/10/2008Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16711)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Java\jre1.6.0\bin\jusched.exeC:\Windows\sttray.exeC:\Windows\System32\WLTRAY.EXEC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Dell\MediaDirect\PCMService.exeC:\Program Files\Dell AIO 810\DLCGmon.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\Windows\system32\taskeng.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exeC:\Program Files\Internet Explorer\ieuser.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Windows\system32\wuauclt.exeC:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXEC:\Users\Gordon\Desktop\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://recherche.neuf.fr/ie/default.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://recherche.neuf.fr/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = uk.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://recherche.neuf.fr/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://recherche.neuf.fr/ie/default.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by DellR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exeO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exeO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell Fax Solutions\fm3032.exe" /sO4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkeyO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exeO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\gordon\appdata\local\temp\GOOGLE~1\{9D1EB~1.SH! C:\Users\Gordon\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\1HKZRM2H\CONGRA~1.SH! (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\gordon\appdata\local\temp\GOOGLE~1\{9D1EB~1.SH! C:\Users\Gordon\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\1HKZRM2H\CONGRA~1.SH! (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exeO4 - Global Startup: QuickSet.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dllO9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO13 - Gopher Prefix: O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLLO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dllO23 - Service: dlcg_device - - C:\Windows\system32\dlcgcoms.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Bewan\Box\Wizard\jswpsapi.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exeO23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXEO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 10424 bytes Link to post Share on other sites More sharing options...
nosirrah Posted October 13, 2008 ID:30708 Share Posted October 13, 2008 There is no Zlob/FakeAlert (or anything else for that matter) in your log .IMO with the info you have given me the only logical answer is that Zlob attempted to run and was blocked before it ever had a chance to install .A false positive is also possible and so is Norton hitting a long dead trace like a file in a old restore point . It happens from time to time that a new update will detect very old malware and hit something backed up in a restore point .If you were to turn off system restore , reboot and then turn it back on this would flush all old restore points and make a fresh one eliminating this potential issue . Link to post Share on other sites More sharing options...
Gmswjambo Posted October 13, 2008 Author ID:30710 Share Posted October 13, 2008 That's great - I am very relieved! Thank you very much for your help. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now