Does this......"sign of win32:Zlob-ahs [trj]* has been found in"....

Viruses and worms
1

…mean I have a virus? Or is is just a warning? ???

2

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

Probably you were infected. Hopefully avast caught the virus…

3

I have Avast! 4.7 home edition and VPS file version071230-0

Here is what the Avast log showed…

9/27/2007 3:14:05 PM SYSTEM 1260 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe” file.
9/27/2007 3:14:28 PM SYSTEM 1260 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe” file.
9/27/2007 3:14:49 PM SYSTEM 1260 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe” file.
9/27/2007 3:15:33 PM SYSTEM 1260 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe” file.
9/27/2007 3:15:56 PM SYSTEM 1260 Sign of “Win32:Renos-AF [trj]” has been found in “http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe” file.
9/29/2007 12:33:09 PM SYSTEM 1296 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://software-files.download.com/sd/LR0W3kr5xIo-uoVQnzUYPedw-p8qwoEF5yqUvxHhxpYuxaFRbf5h_xEbRvQIZgtpDryRQpLJCjVFibfwmJk0mJ3m4cqSVMUM/software/10735760/10429299/3/tvc.exe?ptype=3001&ontid=20&siteId=4&edId=3&pid=10735760&psid=10429299 (C:\WINDOWS\TEMP_avast4_\unp48721646.tmp) returning error, 00000084.
10/4/2007 9:33:50 PM SYSTEM 1280 Sign of “Win32:Adware-gen. [Adw]” has been found in “http://ak.exe.imgfarm.com/images/nocache/funwebproducts/2.2.60.11/WebfettiSetup2.2.60.11-2.exe\mwsSetup.CommonCodebase.exe” file.
10/5/2007 10:06:45 AM SYSTEM 1280 Sign of “Win32:Delf-RT [trj]” has been found in “http://download.avicodecpack.com/AVICodecPackPlus2.exe\$SYSDIR\pxwma.dll” file.
12/3/2007 6:14:12 PM SYSTEM 1300 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
12/3/2007 6:14:13 PM SYSTEM 1300 An error has occured while attempting to update. Please check the logs.
12/3/2007 6:24:37 PM SYSTEM 1216 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
12/3/2007 6:26:06 PM SYSTEM 1296 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
12/3/2007 6:26:07 PM SYSTEM 1296 An error has occured while attempting to update. Please check the logs.
12/3/2007 6:28:51 PM SYSTEM 1220 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
12/3/2007 6:28:52 PM SYSTEM 1220 An error has occured while attempting to update. Please check the logs.
12/3/2007 8:58:49 PM SYSTEM 1196 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
12/3/2007 8:58:50 PM SYSTEM 1196 An error has occured while attempting to update. Please check the logs.
12/3/2007 9:03:55 PM SYSTEM 1300 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
12/3/2007 9:04:02 PM SYSTEM 1300 An error has occured while attempting to update. Please check the logs.
12/3/2007 9:14:01 PM SYSTEM 1248 Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011.
12/3/2007 9:14:04 PM SYSTEM 1248 An error has occured while attempting to update. Please check the logs.
12/18/2007 11:26:56 AM Billy & Phoebe 1284 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\InstallShield Installation Information{747C231B-062D-4586-8221-8E7870987D5B}\setup.ilg (C:\Program Files\InstallShield Installation Information{747C231B-062D-4586-8221-8E7870987D5B}\setup.ilg) returning error, 00000005.
12/21/2007 6:36:53 PM SYSTEM 1300 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/21/2007 6:36:53 PM SYSTEM 1300 An error has occured while attempting to update. Please check the logs.
12/25/2007 10:58:35 AM SYSTEM 1188 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/25/2007 10:58:37 AM SYSTEM 1188 An error has occured while attempting to update. Please check the logs.
12/30/2007 1:21:22 PM SYSTEM 1128 Sign of “Win32:Zlob-AHS [trj]” has been found in “http://avsmanufacture.com/download.php?id=4170\$INSTDIR\$PLUGINSDIR\barf.dll” file.

4

You’re visiting a site that is infected.
Clean your temporary files and don’t go to that site.

5

OK, Sorry… :frowning:

6

Tech,
Does that mean that my PC is not infected? ???

7

Hi BLS,

I think you are not because avast alerted when the trojan wanted to act as it were. But you can see whether your system does not have it using this removal tool, you can download it from here:
http://wirusy.antivirenkit.pl/en/szczepionki/Zlob.html

Run it, and when it says that it has not been found on your computer, you don’t have it.

polonus

8

Follow Polonus’s advice… on-line scanning with Kaspersky or BitDefender will be good too.

9

Thanks Polonus and Tech,
I ran the three programs you recomended and I did have a virus (ADWARE.BHO.WQB)
Bit Defender detected the virus but could not disinfect it.
It deleted the virus but the update failed.
What does this mean exactly? ???

10

Just for information, here are a couple of links for information on avsmanufacture.com

http://g.s.scandoo.com/search?hl=en&meta=on&q=avsmanufacture.com

It might be a good idea in the future when you want to visit a site (that you are not already familiar with) to check the site through the use of ScanDoo as I have in the above link.

Below are 2 links I aquired from the search above …

http://www.trustedsource.org/TS?do=feedback&subdo=query&q=avsmanufacture.com

http://www.trustedsource.org/TS?do=feedback&subdo=query&q=85.255.120.109

The site provides faked video codec where you get a nasty surprise instead.

11

Hi BJS,

Download: RVAXO.exe from here:
http://home.hetnet.nl/~stefsmeenk/RemoveVideoActiveXObject.exe

  • Save the file unto your desktop, doubleclick it and choose “Unzip” to unpack it.
  • Then a file RVAXO will open unto your desktop and you must doubleclick RVAXO.cmd
  • A cmd-window will open, there you see some sentences about files not found fly by quickly, this is normal procedures.
  • Also an uninstaller for a roque scanner will start up, do not close, follow instructions and/or let it run.
  • Now your PC will reboot, after the reboot the cmd-window of RVAXO will open again.
    Let it run and wait for a logfile to open: C:\RVAXO-results.log
  • If your computer won’t restart on its own, or the tool won’t restart after the reboot, manually reboot.
  • Post the contents of the logfile in your next posting (or in more postings) together with the contents a HijackThis logfile.

polonus

P.S. RVAXO may be flagged by some av as an intrusion tool shutdown11, but you installed it yourself, so it is not riskware but necessary for cleansing.

Damian

12

You mean the on-line version?
Did you try other antitrojan tools (AVG, SuperAntispyware, SpywareTerminator)?

Which update?

13

Hi Tech,

While he was infected opening a fake codec, and I linked a removal tool for it, I suppose after running the tool his computer should be clean, just wait for the results,

pol

14

Thanks Polonus

Here are the results of the RVAXO log and below that the Hihackthis log…

RVAXO results:

----------------RVAXO.exe first run-------------

Files found:

Uninstallers Rogue scanners:

Folders Found:

Hosts-file was reset, If you use a custom hosts file please replace it…

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

--------------RVAXO.exe finished----------------

HIjackthis results:

Logfile of HijackThis v1.99.1
Scan saved at 3:49:26 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/ig?hl=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190079721687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

15

Hi BJS,

Everything seems fine now, pre-scan your video codecs in advance using the DrWeb AV hyperlink scanner plug in, from here: http://www.freedrweb.com/browser/
You can use it in IE, FF & Opera browsers. I wish you a malware free 2008,

polonus

16

Thanks Polonus,

I actually wasn’t even looking for a codec when I contracted the virus (I was looking for a mp3 splitter) but I will use the DrWeb AV hyperlink if I ever do…

Happy 2008 ;D