Over the last 3 or 4 days I am being bombarded by two trojans - Win32:Zlob-BN [Trj] and Win32:Trojano-CL [Trj]. I don’t think that are getting into my system because Avast detects them. This is happening about every 10 minutes and is driving me mad. They always appear at the same time. Has anyone else experienced this?
cheers
Hi alanaccess,
What message you getting exactly? Do you get the ‘Abort Connection’ button?
Is this happening even when you are at an innocent site?
Do you have any symptoms such as notifications or desktop messages suggesting you have spyware?
Have you tried a boot time scan with avast!?
Have you tried running the anti-Trojan program Ewido?
Which firewall do you use?
Did you try the boot time scanning of avast?
If it is a regular attempt, then you may have a trojan on your system.
A firewall should also be able to prevent unauthorised internet connections (XP’s firewall doesn’t provide this outbound protection).
Check your avast log viewer in the Warning section and let us know the information in the Description field, which will give us the location and infected file name, etc.
So as Frank says have you tried ewido as that specialises in trojan detection and removal.
Hi, forgive me if I’m in the wrong area, and if I don’t give you all the needed info.
I am getting the “bombarded by trojans” like alanaccess is.
Mine started Friday night 5-12-06 about 10 PM ish central ~ I was blaming my son for playing a DVD on 4x4’s he received in the mail, and shortly after he started to play this DVD AVST went off ~ ???
AVAST warring went off saying a virus was detected:
ldE5F2.tmp C:\WINDOWS\system32\1024
size of file - 21784
last modified time - 5-13-2006 - 3:40:22 am
time of transfer - 5-12-2006 - 10:40:43 pm
Infected files
win32:Zlob-BN [Trj]
file ID 437
options given were to move/rename, Delete, move to chest or do nothing. I chose to delete it. ( The “delete on next boot up” is checked )
ld8ED4.tmp C:\WINDOWS\system32\1024
size of file 49696
last modified time 5-13-2006 - 4:31:20 am
time of transfer 5 - 12 - 2006 - 11:31:20 pm
Infected files
Win32:Trojan-CL [Trj]
file ID 443
options given were to move/rename, Delete, move to chest or do nothing. I chose to delete it. ( The “delete on next boot up” is checked )
I then did a scan with Avast and it came back with 0 infections. I then ran a AD-Aware and came back with a Trojan, I deleted it, so I thought WRONG it wont go away!
I have 14 such files…
While typing this out another warning went off:
C:\WINDOWS\system32\1024\ld5C0C.tmp[Upack]
Win32:Zlob-BN [Trj]
Trojan Horse
0620-0, 05/15/2006
Here are 3 more;
Original file name: atmclk.exe
Original folder: C:\WINDOWS\system32\1024
File size: 10176
Last modified: 5-13-2006 - 3:40:22 am
Time of Transfer: 5-12-2006 - 10:40:51 pm
Category: Infected Files
Virus: Win32:Zlob-BN [Trj]
File ID: 438
Original file name: appmagr.dll
Original folder: C:\WINDOWS\system32\1024
File size: 176128
Last modified: 5-13-2006 - 4:46:06 pm
Time of Transfer: 5-13-2006 - 12:19:56 pm
Category: Infected Files
Virus: Win32:Trojan-CL [Trj]
File ID: 447
Original file name: atmclk.exe
Original folder: C:\WINDOWS\system32\1024
File size: 9948
Last modified: 5-14-2006 - 6:33:04 pm
Time of Transfer: 5-14 - 2006 - 6:33:02 pm
Category: Infected Files
Virus: Win32:Zlob-BN [Trj]
Can be restored? NO (this is the only one that has this)
File ID: 450
How can I get rid of this/these?? ???
If I have to go into safe mode - “HOW?” I’m not real good without step by step instructions…
Can I run ZoneAlarm with Avast? ( I don’t have Zone Alarm yet)
I have Windows Fire Wall only :-\ :o NOT good after reading here on the forum!
I’m running Avast, Ad-Aware and Zero Spyware
Please Help! THANK YOU!!!
For the future, Delete is never a best first option you are then out of options, first do no harm, move to chest and then investigate. I assume that you have done another scan, preferably scheduling a boot-time scan from within avast.
Because the files you deleted were in the system folders, windows system restore will copy then to a restore point, should you ever use system restore in the future you could inadvertently restore the infected files. So you should disable system restore and reboot this will clear ALL restore points infected or otherwise - How to disable System Restore
It would be best if you followed the same advice given previously and also download, update and run ewido, preferably in safe mode, keep taping the F8 key whilst booting, this will bring up boot options, choose Safe Mode.
Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
its the smitfraud trojan, currently no scanner can remove it
to get rid of it you need a special tool:
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press “Enter”; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc…processutil.htm
Do you have any symptoms such as notifications or desktop messages suggesting you have spyware?
Funny nobody mentioned any symptoms. ???
Do you have any symptoms such as notifications or desktop messages suggesting you have spyware?
May 12th
There were NO symptoms at all. The scanner went off saying a virus has been detected. I tried to “move” to chest but it kept coming back, that is when I did the Delete. (I’ll know better next time. Thank You).
May 13th, still no symptoms. May 14th, I had 2 NEW icons (short cut) on my desk top along with a NEW toolbar. Had the shield like windows security. There were three buttons on this toolbar - Security Scan, Sypware Scan and Spam ( I think), this was also in my add/remove as “Security Toolbar”.
Scanner going off every five min. or so. I then had an icon by my clock - a red bug ? and a popup saying I was infected.
This turned out to be SpyFalcon.
After I posted last night, I went and downloaded Spyware Doctor which came back with over 1000,00 viruses. It would not clean due to no subscription. I had used this program before so I bought the 1 yrs subscript. It did some cleaning, but not all, so I ran it again. AVAST still going off but not as offten.
I shut PC down this am before I went to work, due to weather. Well DUH! (dummy me!) I did not reboot last night after I ran the scan…As scheduled, SpyDoctor ran this am and came back with only 40 infections and cleaned them all, AVAST scanner has been quiet all day! Ran AVAST tonight and 0 infections, (although it came back before with 0 ).
I tried the “SmitFraud Fix” and got a box asking if I was sure I wanted to open it. “yes”. After opening, It said: “Fichier Process.exe absent! Dezipper la totalite de l’archive dans un dossier. Process.exe file missing! Unzip all the archive in a folder. Press any key to continue” I did and it closed! So I left this alone as I have no idea what I’m doing… :-\
So far, things seem to be back to NORMAL! No more Avast scanner warnings! My AdAware came back with only 4 “trackers”
win32:Zlob-BN and win32:Trojan-CL seem to be part of SpyFalcon. = Rogue Anti-Spyware Products, Trojan.Popuper, Windows ControlAd, Specific911 Hijack, MediaGateway, WinFixer…NASTY little buggers!
Thanks for all your help!!!
I have had the same probloms - got rid of everything but the last trojan that will not stay gone. There does not seem to be any signs of infection with this last one other then evast going off every 30 minutes or so.
Here is the file from Smithfruadfix:
SmitFraudFix v2.46
Scan done at 18:59:03.16, Tue 05/23/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\ld???.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\owner\FAVORI~1
C:\DOCUME~1\owner\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Security Toolbar\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{89aef01d-d237-49c7-84dc-4e1904c1fd31}”=“AutoDisc Ware”
[HKEY_CLASSES_ROOT\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
[HKEY_CURRENT_USER\Software\Classes\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
I am now going to try and remove it - will update with what occured.
Mine has been clean since I downloaded Spyware Doctor. Avast is running normal. NO more alerts going off!
Sorry the name of the bug for me is Win32:Zlob-BN[Trj]
Ok so I ran the program and rebooted per its instructions this is the log after the reboot:
SmitFraudFix v2.46
Scan done at 19:21:52.08, Tue 05/23/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{89aef01d-d237-49c7-84dc-4e1904c1fd31}”=“AutoDisc Ware”
[HKEY_CLASSES_ROOT\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
[HKEY_CURRENT_USER\Software\Classes\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\dcomcfg.exe Deleted
Problem while deleting C:\WINDOWS\system32\ld???.tmp
C:\WINDOWS\system32\ot.ico Deleted
Problem while deleting C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\system32\simpole.tlb Deleted
Problem while deleting C:\WINDOWS\system32\stdole3.tlb
C:\WINDOWS\system32\ts.ico Deleted
Problem while deleting C:\WINDOWS\system32\1024
C:\DOCUME~1\owner\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\Security Toolbar\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\sbnudh.dll → Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{89aef01d-d237-49c7-84dc-4e1904c1fd31}”=“AutoDisc Ware”
[HKEY_CLASSES_ROOT\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
[HKEY_CURRENT_USER\Software\Classes\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
I ran the program again and got this log:
SmitFraudFix v2.46
Scan done at 19:27:07.25, Tue 05/23/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\owner\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{89aef01d-d237-49c7-84dc-4e1904c1fd31}”=“AutoDisc Ware”
[HKEY_CLASSES_ROOT\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
[HKEY_CURRENT_USER\Software\Classes\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Cleaned it again.
Log:
SmitFraudFix v2.46
Scan done at 19:37:41.07, Tue 05/23/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{89aef01d-d237-49c7-84dc-4e1904c1fd31}”=“AutoDisc Ware”
[HKEY_CLASSES_ROOT\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
[HKEY_CURRENT_USER\Software\Classes\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\1024\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
C:\WINDOWS\system32\sbnudh.dll → Missing File
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
“{89aef01d-d237-49c7-84dc-4e1904c1fd31}”=“AutoDisc Ware”
[HKEY_CLASSES_ROOT\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
[HKEY_CURRENT_USER\Software\Classes\CLSID{89aef01d-d237-49c7-84dc-4e1904c1fd31}\InProcServer32]
@=“C:\WINDOWS\system32\sbnudh.dll”
»»»»»»»»»»»»»»»»»»»»»»»» End
Hi Dryga ( and others ) :
SmitfraudFix logs should be "interpreted" by Experts on
antiSPYWARE forums; there is a possible 4- step "process"
which they are trained to guide those seeking help.
Therefore, I recommend you go to the forums of your
antiSPYWARE provider; if you know of none, I recommend
www.landzdown.com .
Have you tried selecting option 4 when running SmitFraudFix in safe mode?
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
If this fails to work, you probably have a new variant of the malware- new variants are emerging very rapidly with this one- and you will need to submit your log to a forum as Spiritsongs suggests- they will direct you to another forum where you can upload the file causing the problem for analysis. SmitFraudFix will then be updated to fix your problem.
Hi alanaccess,
Here the technical info on the trojan dropper that was installed on your machine. Read:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.h.html
polonus
NB: Generic Renos Fix is no longer an option- the removal process has been integrated into option 2 (clean).
Hello.
I have serious problems with a trojan & some spyware.
Here’s the report from Smitfraudfix :
SmitFraudFix v2.56
Scan done at 9:45:52.15, 08/06/2006
Run from C:\Documents and Settings\Vladimir Hristov\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\ld???.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Vladimir Hristov\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\VLADIM~1\FAVORI~1
C:\DOCUME~1\VLADIM~1\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Please tell me how to get rid of this.
Thanks.
Have you seen the Options in Frank’s post above, if you have simply run a scan (search) all you get is the information, you would need to chose one of the removal/clean options when you run it.
1. Search 2. Clean (safe mode recommended) 3. Delete Trusted zone