• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 827
  • Last Modified:

winspycontrol trojan.zolob

I have two customers infected or otherwise out of service, once in a while Symantec will locate and remove Trojan.zolob - but it comes back, I have revieiwed AVG, Norton Symantec and McAfee sites for information and they have none posted. AddAware dies half way through the scan, Spybot found a zlob downloader and removed - I can not seem to be rid of it. Any assistance is appreciated.

0
bmilne1957
Asked:
bmilne1957
  • 4
  • 4
  • 3
  • +2
3 Solutions
 
michkoCommented:
Couple things:
Turn off system restore (make sure you have a full backup of your data).
Run scans in Safe Mode.
Download, install, and run CCleaner (www.ccleaner.com), both its cleanup function, and its registry cleaner.

I do like Adaware and Spybot.  However, you may want to try SuperAntiSpyware (www.superantispyware.com).  Additionally, for a product aimed specifically at trojans, take a look at TrojanHunter (they also have a 30 day free trial).  http://www.misec.net/

If you're still having problems after that, post a HiJackThis log back here.
0
 
bmilne1957Author Commented:
I'll give these a try and let you know; thank you for your post!
0
 
IndiGenusCommented:
Sounds like Smitfraud to me. Use the tool and then clean up with AVG AntiSpyware.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Run option #1 first to check for Smitfraud (post the log here if you're not sure).
Then on to option #2 in Safe Mode if found.
Then AVG to clean up (again, in Safe Mode).

Best way to remove Smitfraud.

Good luck,
Dave

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
IndiGenusCommented:
0
 
orangutangCommented:
0
 
bmilne1957Author Commented:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:25 AM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Intuit\Intuit Master Builder\Administration\Server\MBAdminServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video Add-on Setup\icthis.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HEATH MASON\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gulfcoastsupplyinc.local
O17 - HKLM\Software\..\Telephony: DomainName = gulfcoastsupplyinc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gulfcoastsupplyinc.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Entitlement Service - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\Server\Intuit.EntitlementServerService.exe
O23 - Service: Intuit Master Builder Administrator Service -   - C:\Program Files\Intuit\Intuit Master Builder\Administration\Server\MBAdminServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
0
 
IndiGenusCommented:
That HJT appears clean. Did you run the Smitfraud tool and AVG AS or SAS?
0
 
michkoCommented:
Your HJT is clean.  Could you provide some more information please:
Did the scans in safe mode pick up any issues (antivirus, adaware and spybot (or superantispyware))?
Did the scans complete in safe mode?

Are the affected machines on a network?  And do they have any shared drives, either sharing or mapped?  I.E. Could the infection be coming from another networked pc?
0
 
orangutangCommented:
What about C:\WINDOWS\system32\logon.scr? Why would a screensaver be running while you're using your computer?
0
 
wrenhalCommented:
Also, This line:
C:\Program Files\Video Add-on Setup\icthis.exe under running processes seems suspicious.

Found info on web.  It's a trojan.  Here's a site: http://www.prevx.com/filenames/X384626503221287173-X1/ICTHIS.EXE.html
I would recommend going into safe mode and deleting that folder and all files in it.  Also search your computer for any files with the "icthis" or "icmnrt" in the file name and delete those too.
0
 
wrenhalCommented:
Oh, you'll need to end process on the icthis.exe in task manager even in safe mode apparently before deleting the folder and files.
0
 
bmilne1957Author Commented:
Thus far all efforts have been remote - customer is an hour away but I was able to get onsite today and attempting removal as I type - more to come and thank you all for your posts!
0
 
michkoCommented:
Nice catch wrenhal.
0
 
wrenhalCommented:
Thanks!  I see so many of these LOGS on a weekly basis in my own work they blur sometimes.  I work in a college town and these kids are CONSTANTLY getting infected. I'm surprised I saw that one thing.
0
 
bmilne1957Author Commented:
I used CClean and the Smitfraudfix.exe and it cleaned one ok in safe mode and with restore points turned off; another was more difficult and using the tools in Spybot I killed and/or removed the threats though it took two or three trys to get them all - the second was infected with vundo, vundo generic, smithfraud c and another I don't recall.

My money is still on Spybot.

Thank you all for your assitance! Now I need to figure out how to assign points!
0
 
orangutangCommented:
Oh, sorry, michko.
0
 
michkoCommented:
bmilne1957 - Glad we could help.  It's not surprising to have to run some of the scans a few times to catch everything.

orangutang - no problem.

michko
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now