Inactive How do I remove Zlob type trojan from XP computer and router?

Status
Not open for further replies.
J

jlk4ktm

Posts: 6   +0
How can I remove the malware "rkg.exe", "vpp.exe", etc (MBR root virus?) (zlob trojan?) from my XP-SP3 computer and router?
I am running Windows XP, SP3 (and IE8) with all updates current, through a 2wire Gateway router. I use Avast free anti-virus, Avast v 6.0.1.1367 updated to definitions v 120104-1.

SYMPTOMS:
After clicking a link on a wiki.com article about functions, several (fake) security warning windows popped up similar to Windows Defender warnings. BUT, Avast anti-virus will not run, executable programs will not run, cmd.exe window will not start, etc. IE8 reroutes all internet requests to malware sites, which will continue downloading malware unless I stop. The USB port is blocked by the virus (even with the rkg.exe process ended), so I cannot find it using explorer, load programs on it, or run programs from it. In Task Manager, a file unknown to me was running: "rkg.exe", which I killed, this closed the fake security windows.

PRELIMINARY INVESTIGATIONS:
The file C:\Documents and Settings\Owner\Local Settings\Application Data\rkg.exe is malware. In that directory, I also found vpp.exe, and 4 other strange executable files. The cmd prompt works only in safe mode, so I renamed them xxx-rkg.exe, etc.
Later I also found C:\Documents and Settings\Owner\My Documents\T5B7d14N.exe, and other randomly named files in that directory: 75724.exe, 53037Ro.exe, 11RP81TV.exe, T1TqAmgb.exe.
The file C:\Documents and Settings\Owner\My Documents\3CANh.exe is also suspicious.

Rebooting, F8 to "last known good configuration" will not work.

I was able to reboot in safe mode and run DDS.exe, the files are included. DDS.exe was already present on my computer, but would not run in normal mode.
The dds.txt ==File Associations== section shows the problem with executable files, .exe=Uiq, not the normal exefile. To obtain the dds.txt and attach.txt files, I had to remove the hard drive and connect it to a working computer via Kingwin's "EZ-CONNECT".

I cannot download MBAM or GMER. If I downloaded MBAM-setup.exe to a working computer, could I "install" it on the infected disk, then transfer the disk back to the infected computer and run it? GMER, I believe, can be done this way, but can MBAM?

I also already had OTL and autorunsc.exe loaded on my computer, and was able to run them in safe mode. The OTL and autorunsc output is available, and I found them useful. I can either paste or attach them if desired.

Per website instructions, I have not attempted any registry edits or used any registry repair programs, even though I am comfortable with regedit.exe. I have included attach.txt.

When I get the computer cleaned up, how do I clean up the 2wire 2701HB-G router?
Is powering it down and restarting sufficient?


DDS.TXT **********************************************************************
DDS.TXT **********************************************************************
.
DDS (Ver_2011-08-26.01) - FAT32x86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Owner at 17:35:03 on 2012-01-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.250 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\IrfanView\i_view32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9617A521-4884-4BC2-A15B-D7692C593190} : DhcpNameServer = 192.168.1.254
Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nlem32nt;NLEM32NT;c:\windows\system32\drivers\nlem32nt.sys [2009-10-16 69656]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-12 435032]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-15 314456]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-15 20568]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-15 44768]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-2-24 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-2-24 8456]
.
=============== File Associations ===============
.
.exe=Uiq
.
=============== Created Last 30 ================
.
2016-02-24 20:28:50 -------- d-----w- c:\program files\InCtrl5
2016-02-24 15:15:27 -------- d-----w- c:\documents and settings\owner\local settings\application data\Help
2016-02-22 19:40:27 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2016-02-22 19:40:20 -------- d-s---w- c:\windows\system32\Microsoft
2016-02-22 19:32:50 -------- d-----w- c:\windows\ServicePackFiles
2016-02-22 19:31:28 2897920 ------w- c:\windows\system32\xpsp2res.dll
2016-02-22 19:30:30 -------- d-----w- c:\windows\system32\ReinstallBackups
2016-02-22 19:30:11 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2016-02-22 19:28:18 -------- d-----w- c:\windows\EHome
2016-02-17 19:26:11 -------- d-sh--w- c:\documents and settings\owner\UserData
2016-02-17 01:27:20 -------- d-sh--w- C:\Recycled
2016-02-17 01:18:59 6144 ----a-w- c:\windows\system32\dllcache\kbd101a.dll
2016-02-17 01:16:43 40960 ----a-w- c:\windows\system32\dllcache\trialoc.dll
2016-02-17 01:16:43 40960 ----a-w- c:\program files\internet explorer\connection wizard\trialoc.dll
2016-02-17 01:16:42 73728 ----a-w- c:\windows\system32\dllcache\icwtutor.exe
2016-02-17 01:16:42 73728 ----a-w- c:\program files\internet explorer\connection wizard\icwtutor.exe
2016-02-17 01:16:42 61440 ----a-w- c:\windows\system32\dllcache\icwres.dll
2016-02-17 01:16:42 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwres.dll
2016-02-17 01:16:42 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwconn.dll
2016-02-17 01:16:42 49152 ----a-w- c:\program files\internet explorer\connection wizard\icwutil.dll
2016-02-17 01:16:42 24576 ----a-w- c:\program files\internet explorer\connection wizard\icwrmind.exe
2016-02-17 01:16:42 172032 ----a-w- c:\program files\internet explorer\connection wizard\icwhelp.dll
2016-02-17 01:01:17 24661 ----a-w- c:\windows\system32\spxcoins.dll
2016-02-17 01:01:17 24661 ----a-w- c:\windows\system32\dllcache\spxcoins.dll
2016-02-17 01:01:17 13312 ----a-w- c:\windows\system32\irclass.dll
2016-02-17 01:01:17 13312 ----a-w- c:\windows\system32\dllcache\irclass.dll
2016-02-17 00:50:29 -------- d-----w- c:\windows\system32\xircom
2016-02-17 00:50:29 -------- d-----w- c:\windows\system32\wbem\snmp
2016-02-17 00:50:03 100864 ----a-w- c:\windows\system32\migicons.exe
2016-02-17 00:47:51 45568 ----a-w- c:\windows\system32\safrslv.dll
2016-02-17 00:46:56 -------- d-----w- c:\windows\Registration
2016-02-17 00:45:59 73216 ----a-w- c:\windows\system32\dllcache\avwav.dll
2016-02-17 00:44:35 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2016-02-17 00:44:29 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2016-02-17 00:44:23 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2016-02-17 00:44:08 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2016-02-17 00:43:56 907456 ----a-w- c:\windows\system32\drivers\HCF_MSFT.sys
2016-02-17 00:43:52 731648 ----a-w- c:\windows\system32\drivers\nv4.sys
2016-02-17 00:43:52 1738496 ----a-w- c:\windows\system32\nv4.dll
2016-02-17 00:43:49 117760 ----a-w- c:\windows\system32\drivers\e100b325.sys
2016-02-17 00:43:37 96256 ----a-w- c:\windows\system32\drivers\ac97intc.sys
2016-02-17 00:43:37 4096 ----a-w- c:\windows\system32\ksuser.dll
2016-02-17 00:43:37 129536 ----a-w- c:\windows\system32\ksproxy.ax
2016-02-17 00:41:45 -------- d-----w- C:\Documents and Settings
2016-02-17 00:36:29 -------- d-----w- c:\windows\MDMUPGLG
2016-02-17 00:25:36 -------- d-s---w- c:\windows\Downloaded Program Files
2016-02-17 00:25:00 -------- d--h--w- c:\windows\PIF
2016-02-17 00:24:56 -------- d-----w- c:\windows\All Users
2012-01-06 18:59:04 -------- d-sh--w- C:\FOUND.000
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-vpp.exe
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-pxh.exe
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-akh.exe
2012-01-04 18:52:59 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-rkg.exe
2012-01-04 18:52:59 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-geh.exe
2012-01-04 17:48:10 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-gfd.exe
.
==================== Find3M ====================
.
2011-11-28 18:01:26 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:54 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:52 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:24:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ------w- c:\windows\system32\encdec.dll
2011-10-10 14:22:42 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 17:35:42.15 ===============

end DDS.TXT **********************************************************************


ATTACH.TXT $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
ATTACH.TXT $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
.
DDS (Ver_2011-08-26.01) - FAT32x86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Owner at 17:35:03 on 2012-01-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.250 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\IrfanView\i_view32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9617A521-4884-4BC2-A15B-D7692C593190} : DhcpNameServer = 192.168.1.254
Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nlem32nt;NLEM32NT;c:\windows\system32\drivers\nlem32nt.sys [2009-10-16 69656]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-12 435032]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-15 314456]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-15 20568]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-15 44768]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-2-24 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-2-24 8456]
.
=============== File Associations ===============
.
.exe=Uiq
.
=============== Created Last 30 ================
.
2016-02-24 20:28:50 -------- d-----w- c:\program files\InCtrl5
2016-02-24 15:15:27 -------- d-----w- c:\documents and settings\owner\local settings\application data\Help
2016-02-22 19:40:27 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2016-02-22 19:40:20 -------- d-s---w- c:\windows\system32\Microsoft
2016-02-22 19:32:50 -------- d-----w- c:\windows\ServicePackFiles
2016-02-22 19:31:28 2897920 ------w- c:\windows\system32\xpsp2res.dll
2016-02-22 19:30:30 -------- d-----w- c:\windows\system32\ReinstallBackups
2016-02-22 19:30:11 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2016-02-22 19:28:18 -------- d-----w- c:\windows\EHome
2016-02-17 19:26:11 -------- d-sh--w- c:\documents and settings\owner\UserData
2016-02-17 01:27:20 -------- d-sh--w- C:\Recycled
2016-02-17 01:18:59 6144 ----a-w- c:\windows\system32\dllcache\kbd101a.dll
2016-02-17 01:16:43 40960 ----a-w- c:\windows\system32\dllcache\trialoc.dll
2016-02-17 01:16:43 40960 ----a-w- c:\program files\internet explorer\connection wizard\trialoc.dll
2016-02-17 01:16:42 73728 ----a-w- c:\windows\system32\dllcache\icwtutor.exe
2016-02-17 01:16:42 73728 ----a-w- c:\program files\internet explorer\connection wizard\icwtutor.exe
2016-02-17 01:16:42 61440 ----a-w- c:\windows\system32\dllcache\icwres.dll
2016-02-17 01:16:42 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwres.dll
2016-02-17 01:16:42 61440 ----a-w- c:\program files\internet explorer\connection wizard\icwconn.dll
2016-02-17 01:16:42 49152 ----a-w- c:\program files\internet explorer\connection wizard\icwutil.dll
2016-02-17 01:16:42 24576 ----a-w- c:\program files\internet explorer\connection wizard\icwrmind.exe
2016-02-17 01:16:42 172032 ----a-w- c:\program files\internet explorer\connection wizard\icwhelp.dll
2016-02-17 01:01:17 24661 ----a-w- c:\windows\system32\spxcoins.dll
2016-02-17 01:01:17 24661 ----a-w- c:\windows\system32\dllcache\spxcoins.dll
2016-02-17 01:01:17 13312 ----a-w- c:\windows\system32\irclass.dll
2016-02-17 01:01:17 13312 ----a-w- c:\windows\system32\dllcache\irclass.dll
2016-02-17 00:50:29 -------- d-----w- c:\windows\system32\xircom
2016-02-17 00:50:29 -------- d-----w- c:\windows\system32\wbem\snmp
2016-02-17 00:50:03 100864 ----a-w- c:\windows\system32\migicons.exe
2016-02-17 00:47:51 45568 ----a-w- c:\windows\system32\safrslv.dll
2016-02-17 00:46:56 -------- d-----w- c:\windows\Registration
2016-02-17 00:45:59 73216 ----a-w- c:\windows\system32\dllcache\avwav.dll
2016-02-17 00:44:35 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2016-02-17 00:44:29 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2016-02-17 00:44:23 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2016-02-17 00:44:08 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2016-02-17 00:43:56 907456 ----a-w- c:\windows\system32\drivers\HCF_MSFT.sys
2016-02-17 00:43:52 731648 ----a-w- c:\windows\system32\drivers\nv4.sys
2016-02-17 00:43:52 1738496 ----a-w- c:\windows\system32\nv4.dll
2016-02-17 00:43:49 117760 ----a-w- c:\windows\system32\drivers\e100b325.sys
2016-02-17 00:43:37 96256 ----a-w- c:\windows\system32\drivers\ac97intc.sys
2016-02-17 00:43:37 4096 ----a-w- c:\windows\system32\ksuser.dll
2016-02-17 00:43:37 129536 ----a-w- c:\windows\system32\ksproxy.ax
2016-02-17 00:41:45 -------- d-----w- C:\Documents and Settings
2016-02-17 00:36:29 -------- d-----w- c:\windows\MDMUPGLG
2016-02-17 00:25:36 -------- d-s---w- c:\windows\Downloaded Program Files
2016-02-17 00:25:00 -------- d--h--w- c:\windows\PIF
2016-02-17 00:24:56 -------- d-----w- c:\windows\All Users
2012-01-06 18:59:04 -------- d-sh--w- C:\FOUND.000
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-vpp.exe
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-pxh.exe
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-akh.exe
2012-01-04 18:52:59 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-rkg.exe
2012-01-04 18:52:59 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-geh.exe
2012-01-04 17:48:10 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-gfd.exe
.
==================== Find3M ====================
.
2011-11-28 18:01:26 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:54 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:52 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:24:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ------w- c:\windows\system32\encdec.dll
2011-10-10 14:22:42 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 17:35:42.15 ===============

end ATTACH.TXT $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$





zlob-virus-summary-120106.txt
 
Lots of information here to digest! How about running Combofix and the Eset online virus scan:

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===================================
At this point, I don't want logs for the other scans you ran. I would like you t be sure none of those scans are actively running. Is there some reason why you put 3 lines of 50 question marks after the word Attach.txt? YES I want the Attach.txt log. Not zipped, pasted in. And is there a reason you ran another line of symbols after the DDS.txt log when it clearly states "Finished." Please don't add extras to logs!
-------------------------------
Our preliminary instructions are:
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
-----------------------------------
Beyond this, I review the logs and determine what scans need to be run.Right now, your system is a mess and the time is wrong- it off by 4 years: Day and date are both wrong. That will affect any incoming updates or any feature that is time-dependent.
=============== Created Last 30 ================
.
2016-02-24 20:28:50 -------- d-----w- c:\program files\InCtrl5
2016-02-24 15:15:27 -------- d-----w- c:\documents and settings\owner\local settings\application data\Help
2016-02-22 19:40:27 -------- d-----w- c:\windows\system32\wbem\AutoRecover

Right click on the clock? Click on Adjust date/time.
=================================
Tell me about this: DDS (Ver_2011-08-26.01) - FAT32x86 MINIMAL FAT32x86 with Windows XP Pro? Minimal?
===============================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
With zlob redirecting internet traffic, how do I run ComboFix?

Bobbye: Thanks for responding.
1. I don't know what the dds.txt line "DDS (Ver_2011-08-26.01) - FAT32x86 MINIMAL" means. I have only 395 mb RAM on my system, perhaps that is what it means. Or, could refer to the fact I have stripped many services and programs out of XP that I don't use; this is to speed up response. Or, could refer to the fact XP boot partition is only 8GB, with other multiple partitions on same physical disk.
2. When I installed XP many years ago, the date was inadvertantly set wrong to 2016. I corrected it shortly afterward. It has not caused any problems until now. All files I have seen with the date 2016/02/xx are legitimate Windows files.
3. The extra lines were simply an aid to the eye to show when the files started and ended. Sorry for the confusion.
4. I cannot get on the internet without the trojan continuing to download junk, and filling the screen. Router is probably infected. USB port appears blocked, it is not recognized in explorer or cmd window, even in safe mode. To get the previous data to you, I removed the disk and used Kilwin's "EZ_CONNECT" to connect with another computer (6 miles away). Bummer when the USB port does not work.
5. How do I download ComboFix installer when IE8 and probably router is infected and, all internet traffic is rerouted to malware sites? For programs that are actually downloaded ) I can eventually run them by:
downloading program-x to good computer, transfer to infected disk, take my disk home (6 miles away), re-install infected disk into my computer, boot into safe mode, run program-x, and then run it. Then remove my disk again, drive 6 miles to the good computer, reconnect to other computer, and post resultant data.
ComboFix, however, just downloads an installer, which in turn requires a working internet connection to downlods the actual program.
With this in mind, how do I run ComboFix?
6. It seems to me the key is to associate .exe correctly, to allow executable programs (which are physically present on the disk) to run. Hopefully I can do this in safe mode. I feel comfortable using regedit.exe if required, please advise, will not act without advice.
 
zlob? type trojan still present, MBAM gives "Run time error '13': Type mismatch".

Infected computer sometimes boots almost normally, sometimes boots with blank screen and considerable disk activity for over 30 min. Power off and next time will boot almost normally. Recall I had killed the "strange" file rkg.exe with task manager, then renamed. It has not reloaded or restarted. Ethernet cable from computer to router disconnected to avoid incoming virus. Windows XP security, Avast antivirus and other taskbar icons not visible. When rkg.exe is not running, can run some *.exe programs normally.

Installed MBAM on another computer, copied files to infected computer. Finally could run mbam.exe.
MBAM program starts, clock counts, but error window: "Run time error '13': Type mismatch". Finally manually halted after "run" overnight over 11hrs. 0 Objects scanned, 0 Objects detected.

Still have not altered registry or scanned or installed any programs other than mbam.exe; waiting for instructions.
 
I doubt we are going to be able to 'fix' this system:

1. You don't even have enough RAM to run the OS. 395 mb RAM on my system. Win XP Home need a minimum of 512 mb just to run!
2. You have:>>>"stripped many Services and programs out"
3. Initial install date was wrong and system has now gone back to that
4. You think the "Router is probably infected."
5. You say the "USB port doesn't work"
6. This error in not from Mbam. It is usually related to Excel-"Run time error '13': Type mismatch" It is most likely being cause by some problem in the system.
7. Consider reformatting or converting partitions so all partitions use NTFS. This is the most common file system used on Win XP Home.
See http://technet.microsoft.com/en-us/library/cc783213(WS.10).aspx
8. It appears that these, one of which you removed are the main problem: "When rkg.exe is not running, can run some *.exe programs normally." However I don't know what the 3 xxx are for or from:
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-vpp.exe
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-pxh.exe
2012-01-04 18:53:00 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-akh.exe
2012-01-04 18:52:59 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-rkg.exe
2012-01-04 18:52:59 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-geh.exe
2012-01-04 17:48:10 275456 ----a-w- c:\documents and settings\owner\local settings\application data\xxx-gfd.exe
Click to expand...
which appear to be cloaked malware
may have caused or contributed to 2012-01-06 18:59:04 -------- d-sh--w- C:\FOUND.000
This folder can be created by numerous types of programs including some types of viruses or malware that may be infecting your computer.

And the first subsequent entry 2016-02-17 00:24:56 -------- d-----w- c:\windows\All Users caused the clock to reset back to the original 2016-02-17 date.

If the removal of one of these processes let's you run executable files, it is most likely that the infection is being restarted each time you click on .exe.
=====================================
This system is not fixable. Perhaps it is an older system you're trying to work on, but with the deficiencies it has now, I cannot help you.

Suggest you reformat/reinstall. Use NTFS files system. triple the RAM. Then maybe it can run.
Check out NTFS vs FAT32
 
ComboFix ran and fixed problem on system with router disconnected

Bobbye,
I think you are focusing on the wrong thing. The files with the 2016 dates are not the problem.
I placed the xxx- if front of the rkg.exe, etc when I renamed them.
ComboFix has fixed most (if not all) of the problems. Computer runs OK now, as far as I can test without the internet.
The router can be reset, I have the procedure, just have not had time to do it yet.

mbam installed on good Vista system, then files copied to USB drive and copied to C:\Program Files\Malwarebytes_Anti-Malware\\Malwarebytes-Anti-Malware\*.
mbam.exe program starts, clock counts, but error window appears: "Run time error '13': Type mismatch". Finally halted after "run" overnight to 11hrs, no log produced.

ComboFix.exe copied from good system to USB drive to infected computer desktop. Cable to router was disconnected. ComboFix.exe was renamed to ComboFix-111201.exe. When the latter was run, a cmd.window opened, extracted files, then error window appeared: "CFScript Name Error ... incorrectly spelt" When I clicked OK the window disappeared and all activity ceased. [Because I ran ComboFix-120111.exe, and apparently it was looking for just plain ComboFix].

When correctly named ComboFix.exe ran OK but I clicked "No" to the Windows Recovery Console Window. It produced the log pasted below. The files dated 2016/02/xx are valid XP files from an install with an incorrect 2016 date. Removing them makes it much easier to read the "useful" log, but I left them in case you use automated methods to read the files.

Still need to plug in the router and test.


ComboFix 12-01-10.02 - Owner 01/11/2012 17:50:11.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.383.189 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\xxx-akh.exe
c:\documents and settings\Owner\Local Settings\Application Data\xxx-geh.exe
c:\documents and settings\Owner\Local Settings\Application Data\xxx-gfd.exe
c:\documents and settings\Owner\Local Settings\Application Data\xxx-pxh.exe
c:\documents and settings\Owner\Local Settings\Application Data\xxx-rkg.exe
c:\documents and settings\Owner\Local Settings\Application Data\xxx-vpp.exe
c:\documents and settings\Owner\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01-11 )))))))))))))))))))))))))))))))
.
.
2016-02-24 20:28 . 2016-02-24 20:28 -------- d-----w- c:\program files\InCtrl5
2016-02-22 19:40 . 2016-02-22 19:40 -------- d-s---w- c:\windows\system32\Microsoft
2016-02-22 19:32 . 2016-02-22 19:32 -------- d-----w- c:\windows\ServicePackFiles
2016-02-22 19:31 . 2008-04-13 17:39 2897920 ------w- c:\windows\system32\xpsp2res.dll
2016-02-22 19:30 . 2009-01-07 23:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2016-02-22 19:28 . 2016-02-22 19:28 -------- d-----w- c:\windows\EHome
2016-02-17 01:23 . 2016-02-17 01:23 -------- d-sh--w- c:\windows\Installer
2016-02-17 01:18 . 2008-04-14 00:11 618605 ----a-w- c:\program files\Common Files\Microsoft Shared\web server extensions\40\bin\fp4autl.dll
2016-02-17 01:16 . 2001-08-23 12:00 40960 ----a-w- c:\program files\Internet Explorer\Connection Wizard\trialoc.dll
2016-02-17 01:16 . 2008-04-14 00:12 24576 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwrmind.exe
2016-02-17 01:16 . 2008-04-14 00:11 61440 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn.dll
2016-02-17 01:16 . 2008-04-14 00:11 49152 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwutil.dll
2016-02-17 01:16 . 2008-04-14 00:11 172032 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwhelp.dll
2016-02-17 01:16 . 2001-08-23 12:00 73728 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwtutor.exe
2016-02-17 01:16 . 2001-08-23 12:00 61440 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwres.dll
2016-02-17 01:01 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2016-02-17 01:01 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2016-02-17 00:50 . 2016-02-17 00:50 -------- d-----w- c:\windows\system32\xircom
2016-02-17 00:50 . 2016-02-17 00:50 -------- d-----w- c:\program files\microsoft frontpage
2016-02-17 00:50 . 2016-02-17 00:50 100864 ----a-w- c:\windows\system32\migicons.exe
2016-02-17 00:48 . 2016-02-17 00:48 -------- d-----w- c:\windows\srchasst
2016-02-17 00:48 . 2011-04-30 04:01 758784 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\vgx.dll
2016-02-17 00:48 . 2016-02-17 00:48 -------- d-----w- c:\windows\system32\Macromed
2016-02-17 00:48 . 2008-04-14 00:12 409088 ----a-w- c:\windows\system32\qmgr.dll
2016-02-17 00:48 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\qmgrprxy.dll
2016-02-17 00:45 . 2001-08-23 12:00 35328 ----a-w- c:\windows\system32\winchat.exe
2016-02-17 00:44 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2016-02-17 00:44 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2016-02-17 00:44 . 2001-08-17 18:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2016-02-17 00:44 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2016-02-17 00:43 . 2001-08-17 18:28 907456 ----a-w- c:\windows\system32\drivers\HCF_MSFT.sys
2016-02-17 00:43 . 2001-08-17 19:56 1738496 ----a-w- c:\windows\system32\nv4.dll
2016-02-17 00:43 . 2001-08-17 17:50 731648 ----a-w- c:\windows\system32\drivers\nv4.sys
2016-02-17 00:43 . 2001-08-17 17:12 117760 ----a-w- c:\windows\system32\drivers\e100b325.sys
2016-02-17 00:43 . 2008-04-14 00:12 129536 ----a-w- c:\windows\system32\ksproxy.ax
2016-02-17 00:43 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2016-02-17 00:43 . 2001-08-17 17:20 96256 ----a-w- c:\windows\system32\drivers\ac97intc.sys
2016-02-17 00:41 . 2016-02-17 00:41 -------- d-----w- C:\Documents and Settings
2016-02-17 00:36 . 2016-02-17 00:36 -------- d-----w- c:\windows\MDMUPGLG
2016-02-17 00:25 . 2016-02-17 00:25 -------- d-s---w- c:\windows\Downloaded Program Files
2016-02-17 00:25 . 2016-02-17 00:25 -------- d--h--w- c:\windows\PIF
2016-02-17 00:24 . 2016-02-17 00:24 -------- d-----w- c:\windows\All Users
2012-01-11 02:17 . 2012-01-11 14:07 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-11 02:13 . 2012-01-11 02:13 -------- d-----w- c:\program files\Malwarebytes_Anti-Malware
2012-01-06 18:59 . 2012-01-06 18:59 -------- d-----w- C:\FOUND.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2010-07-06 20:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 18:01 . 2010-03-15 11:47 199816 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-28 17:53 . 2011-03-13 02:11 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-11-28 17:53 . 2010-03-15 11:47 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-11-28 17:52 . 2010-03-15 11:47 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-11-28 17:52 . 2010-03-15 11:47 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-11-28 17:52 . 2010-03-15 11:47 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-11-28 17:52 . 2010-03-15 11:47 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-11-28 17:51 . 2010-03-15 11:47 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-11-28 17:48 . 2010-03-15 11:47 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-11-23 13:25 . 2001-08-23 17:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2001-08-23 17:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2001-08-23 17:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2001-08-23 17:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-01 16:07 . 2001-08-23 17:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2001-08-23 17:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2001-08-23 17:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2001-08-17 18:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-03-01 48128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\JLK\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\documents and settings\Connie\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
2008-04-14 00:11 625664 ----a-w- c:\windows\SYSTEM32\catsrvut.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\System32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 nlem32nt;NLEM32NT;c:\windows\SYSTEM32\DRIVERS\nlem32nt.sys [10/16/2009 2:32 PM 69656]
R1 aswSnx;aswSnx;c:\windows\SYSTEM32\DRIVERS\aswSnx.sys [3/12/2011 9:11 PM 435032]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [3/15/2010 6:47 AM 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [3/15/2010 6:47 AM 20568]
S3 epmntdrv;epmntdrv;c:\windows\SYSTEM32\epmntdrv.sys [2/24/2010 7:40 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\SYSTEM32\EuGdiDrv.sys [2/24/2010 7:40 PM 8456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [1/10/2012 9:17 PM 40776]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2016-02-17 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\System32\OOBE\oobebaln.exe [2016-02-17 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-11 18:03
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1202660629-1292428093-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(376)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\brss01a.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Alwil Software\Avast5\setup\avast.setup
.
**************************************************************************
.
Completion time: 2012-01-11 18:07:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-11 23:07
.
Pre-Run: 293,658,624 bytes free
Post-Run: 394,600,448 bytes free
.
- - End Of File - - 14F1F22143B650FE1654C3ACBECA23F3
 
You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

  • [1]. Shut down your computer, and any other computer connected to your router.
    [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
    [3]. Unplug the router. Wait sixty seconds.
    [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
    [5].With the router unplugged, start your computer. Run MBAM again.
    [6].Connect to the router again. The turn the router back on.
    [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
    [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
================================
Please run the MGA Diagnostics tool
  • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
  • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
  • You must choose to Run this tool when prompted.
  • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
  • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
  • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
  • Please return to this thread and Paste the results here for review.
------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.
====================================
All of the files being scanned now are dated 2016. Yes, it is a problem
 
The zlob trojan-virus seems partially/mostly removed on my XP(SP3) system.

The zlob trojan-virus seems partially/mostly removed.

The good new is I can boot and use the XP computer, use the internet, and the router appears not to be infected. The bad new is that ComboFix seemed to remove most personalizations and customizations.

Also, my Vista laptop may have been infected when it was booted up on my local wireless network while the XP computer was infected. I shall post that as a separate problem if I cannot fix it.

Key to the solution was the following:
1. Noticing the fake security window settings and closing IE swiftly.

2. Noticing an "unusual" program in Task Manager, "rgk.exe" in th-s case, but that was probably just a random name.

3. Search for "rgk.exe" on C: drive, and noticing other 3 digit randomly named *.exe files in C:\Documents and Settings\Owner\Local Settings\Application Data\. Also noticed 6 to 8 digit randomly named files is C:\Documents and Settings\Owner\My Documents\

4. Ran OTL.exe (already present on my comoputer) before posting the problem on Techspot. This showed the .exe files were associated with "Uig", rather than the normal "exefile". This explains why the most executable programs would not run, all were screened by the virus/trojan, and only the only a few ones were allowed to run. The plug-and-play program/dll (umpnpmgr.dll? upnp.dll?) was also blocked, so could not use USB port.

5. I was able to rename the suspicious files to xxx-rgk.exe, etc. This prevented the virus/trojan from starting next boot in safe mode, and was key to item 8.

6. This allowed me to boot in safe mode and explore more. I could have manually changed the .exe association, but I did not.

It was at this time that I posted to Techspot.

7. You suggested MBAM.exe and ComboFix.exe. To get them, I had to remove my disk, use "EZ-CONNECT" to connect to a good computer via USB port, then download. I then moved the infected disk back to the original computer. MBAM was an installer, which required an active internet to use, so I did not use it.

8. Boot in safe mode and run ComboFix. This cleaned up most of the problems.

Conclusions thus far:

A. It appears ComboFix removes most personalizations and customizations, and program initializations. There are still occasional problems cropping up, which I have so far fixed with the control panel. No registry edits have been performed.

B. The dirs\files with dates of 2016 are all due to an incorrect date when installed about 6 years ago. XP ran fine for those many years without a problem, and updates OK (currently SP3). While undesirable, this does not appear to be a show stopper.

C. Avast anti-virus now works as a shortcut on the desktop, and actively scans and receives updates, but it is still absent from the taskbar. That is the remaining problem, which may be solved by an uninstall and reinstall. I shall try that next, along with your latest suggestion.
 
CORRECTION: The zlob trojan-virus seems partially/mostly removed.

CORRECTION ********************************************************************
ITEM 4 WAS ACTUALLY PERFORMED AFTER ITEMS 5, 6.

" 4. Ran OTL.exe (already present on my computer) before posting the problem on Techspot. This showed the .exe files were associated with "Uig", rather than the normal "exefile". This explains why most executable programs would not run, all were screened by the virus/trojan, and only the only a few ones were allowed to run. The plug-and-play program/dll (umpnpmgr.dll? upnp.dll?) was also blocked, so could not use USB port. "

ITEM 4 WAS ACTUALLY PERFORMED AFTER ITEMS 5, 6.

Renaming the files was key to a safe boot.
I was able to rename OTL.exe to otl-111118.exe and run it
.
 
Status
Not open for further replies.

Similar threads

E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
NonTechyDad
Solved Malware removal for my son's pc
2
Replies
33
Views
5K
Broni
Broni
R
Solved Data Hijacking, Help Please
2
Replies
37
Views
5K
Broni
Broni

Latest posts

Back