"Smart Anti virus- 2009" zlob? help! Win32:Adware-gen [Adw]

???
Hello,
Okay so I accidentally downloaded the fake anti virus software last night. I ran spybot s&d 3x and the 3rd time it successfully removed all 21 entries it found. So I had some control of my comp back. But there 2 of the three icons are still on my desktop, the clock is messed up, and looks like this:

21:40: VIRUS ALERT!

I’ve been reading about this virus for hours (since yesterday), and found this instructional video which scares me alittle because I don’t want to directly remove reg keys unless I can get a few more opinions/feedback. It also mentions some of the processes to end, but not all and I am not sure how to identify the processes that’s he’s referring to. The video he mentions installing avast and running a boot time scan:

http://www.youtube.com/watch?v=fGH7NxSEGtA

I ran ad-aware and it found a number of items and repaired it. While the ad-aware was running, Norton said it detected 3 viruses, my norton expired 3 days ago, so I went on my other laptop and paid for a subscription. Rebooted the computer after the ad-aware was complete and then ran the norton and went to bed at 7am. When I woke up and looked at the results of the scan, it said it didn’t find anything, but it is blocking:

downloader.zlob!gen 3

I ran hijack this and then downloaded avast software and upon restarting it began scanning but when asked what to do pertaining to certain files: repair, move or delete, I wasn’t able to repair any, I moved 3 to the chest, but the others that appeared afterwards would not move, and I did delete one… I know now I probably should not have done that. I don’t know how to paste what is in the chest, but I did option to email avast and here is what is in the body:

Virus name: Win32:Adware-gen [Adw]
Original file location: C:…System Volume Information…_restore{5A5E3A11-A1D8-4AFC-A188-75FCD5DB812E}.
.RP31…A0003336.exe
Computer name: LIFEBOOK
Transfer time: 06.09.2008 20:18:27
Modification time: 21.08.2008 18:27:30
Total size: 212992
Comment:

File ID: 1
Category: 1

I’m not sure what is best, so after skimming this forum, I decided to just exit that scan and post the results of hijack this in hopes that some techy angels save me O:)

Oh, I also have TuneUp Utilities 2008 and thought maybe I should have it defrag at some point?

(sorry for being so long winded!)

???
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:00: VIRUS ALERT!, on 9/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\CyberLink Codec\PDVDServ.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\TuneUpUtilities\MemOptimizer.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.computers.us.fujitsu.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: gksraemq - {FF61FEF9-D771-4BB1-81E7-C55B3AED213E} - C:\WINDOWS\gksraemq.dll (file missing)
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink Codec\PDVDServ.exe”
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min
O4 - HKLM..\Run: [rspNotify] “C:\WINDOWS\TEMP\GenesisAluMsg.exe” /delay
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [osCheck] “C:\Program Files\Norton AntiVirus\osCheck.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [TuneUp MemOptimizer] “D:\Program Files\TuneUpUtilities\MemOptimizer.exe” autostart
O4 - HKCU..\Run: [CTSyncU.exe] “C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe”
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘SYSTEM’)
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/

(was I only supposed to post a portion of the results? it’s almost 14,000 characters)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212169167666
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: dgksvbpn - {9CA4CFD3-57C8-4004-A9E2-4229741CE07E} - C:\WINDOWS\dgksvbpn.dll (file missing)
O21 - SSODL: xrdwbfgn - {9013164C-40F1-48E3-8E7E-683FF9475879} - C:\WINDOWS\xrdwbfgn.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe


End of file - 13357 bytes

I suggest MalwareByte’s Anti-Malware.

first no defrag now
second the hit you show is in RESTORE so not a problem we’ll fix later

do you have a firewall- what is it?

Did you pay for a Norton extension?
If you have removed norton with add remove programs please run the norton uninstaller
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
DO NOT HAVE AVAST AND NORTON INSTALLED AT THE SAME TIME

Next 02 Is Link Scanner- is ok
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing

This is a fraudulant anti security program google gksraemq
O3 - Toolbar: gksraemq - {FF61FEF9-D771-4BB1-81E7-C55B3AED213E} - C:\WINDOWS\gksraemq.dll (file missing)

we could kill this with hijack this but there is no file which spybot may have taken out
could you post your spybot log
and
download and update then run malware bytes anti malware put a check mark next to any hits
http://www.besttechie.net/tools/mbam-setup.exe
the click REMOVE CHECKED a backup will be made
If MBAM asks you to reboot to remove something do it now
post the log
let’s see if there is any more to this bad boy
The following two threats are associated with the malware group Win32.VideoAccessCodec.
These 021 HJT enteries should be removed by MBAM with the following in the MBAM report
Memory Modules Infected:
C:\WINNT\xrdwbfgn.dll (Trojan.FakeAlert) → Delete on reboot.
C:\WINNT\dgksvbpn.dll (Trojan.FakeAlert) → Delete on reboot.
HInt- Reboot NOW

Run HijackThis once more and press “Scan.” When the scan is complete place a check mark next to the above 03 entry: (Please be careful and do not check any other boxes)-

check this one out
Unknown
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v4.cab
Check if you know this site and fix it if you do not.
Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

If these two are still in HJT after MBAM scan FIX them
O21 - SSODL: dgksvbpn - {9CA4CFD3-57C8-4004-A9E2-4229741CE07E} - C:\WINDOWS\dgksvbpn.dll (file missing)
O21 - SSODL: xrdwbfgn - {9013164C-40F1-48E3-8E7E-683FF9475879} - C:\WINDOWS\xrdwbfgn.dll (file missing)

There are lots of Norton entries- let’s see if they are gone after running the Norton remover

If that O3 and 021 entries are gone - well that’s good MBAM got them
(It looks like Spybot alredy got the active part)

After checking these items CLOSE ALL open windows except HijackThis and click “Fix Checked” to remove the entries you checked.
A box will pop up asking you if you wish to fix the selected items.
Please choose YES.
Once it has fixed them, close HijackThis
and reboot your computer normally.

I

now run a KAspersky on line scan- It will not fix anything but might show us if anything else is lurking
post the log

now Run SDFIX
instructions here
http://www.bleepingcomputer.com/forums/topic131299.html
It will find any other parts of the CODEC infection and is not as risky as the frequently used “Combo fix”

post the Spybot log, MBAM log Anything from SDFIX, anything from KAspersky and a new HJT
(in a perfect world SDFIX and Kaspersky should not find anything :slight_smile:

take your time and follow instructions exactly
anything I did not make clear-well I’ll have Polonus explain it

Polonus- would you like to see a RRIST on this one?
OP mentions Norton found Zlob but did not fix
we need to dbl check that we got it as his version of the infections seems to be a recent one
You can recommend SmitfraudFix if any evidence still around but let’s get the codec first

Wyrmrider

thank you thank you, both!

can I just say WOW ;D I appreciate the time taken to review and the assistance thus far

wyrmider:

In reference to Norton, I had a limited time subscription. I went on my other laptop and selected the upgrade option and then went back to the infected laptop, went online to the Norton status page and entered the registration info and downloaded. Now I have Norton Anti Virus 2008.

So the first thing to do would be to uninstall Avast? I actually have had it running a thorough scan over the last couple of hours.
Should I uninstall it through the control panel-> add/remove program, or TuneUp Utilities uninstall?

The firewall was originally through Windows XP, but I disabled that to install the Norton upgrade and it remains off, while the Norton firewall is active.

just to recap, my next few steps:
uninstall avast
download and run malware bytes anti malware
post log

please see the attached spybots&d log

******modified to add the log of a spybots&d I just completed and to include the two previous scans following the infestation


Could this contribute to the problem?

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

There are also traces of avira in the HJT log which could also be part of the problem.

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe


Hi CharleyO,

I’ve had Avira for alittle over a month. I learned about it through a consumer report magazine article where it received high ratings as one of the best free anti virus software.

Is there more to it that I need to know?

Thanks!


Not really … what i meant was that by the time you came here, you had 2 or more anti-virus programs on the computer. This is a no-no as you now know. I just wanted to make sure that this was noticed by those helping you.

By the way, IE6 should surely be updated to IE7 which, though not perfect, is more secure than IE6. But wait until wyrmrider says to do so as it is more important to first clean things up.


oh, I see.

thanks for writing

the attached img is a print screen of the avast chest which has 3 more findings added to the chest.

one bizarre find is kazaa on my d drive. i had kazaa many moons ago and uninstalled it from fear of getting a virus. when that laptop crashed a few months ago, the tech folks I took the laptop to were able to retrieve items from the original c drive and add it to the newly installed d drive. so all that to say, to the best of my recollection, I haven’t had kazaa in a couple of years, so how did it reappear?

also, another finding of the scan is that the c drive is infected. i’ve never seen that. and that’s pretty scary because I really can’t afford to lose a lot of the programs on the c drive.

OK, so once I am informed as to the best way to uninstall avast, I will. Will it ask me what I want to do with the items in the chest?

thanks!

**oh. when I install and run MalwareByte’s Anti-Malware, should i temporarily disable norton?

I decided to move forward and begin the following:

I removed avast and avira
I am currently running MBAM

Also, Norton has been detecting/blocking and removing downloader.zlob!gen.3

I was able to read more about the virus here:

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-082521-2037-99&tabid=2

Questions:
I normally use Mozilla firefox browsers. Since IE does open automatically for some links, I will update it, but when should I? [i]Now or after I am done getting rid (crossing my fingers) of this virus?

What happens if you have more than one anti virus program?

So it is okay to have more than one anti spyware program?[/i]

Thanks!

Resident AVs have low level device drivers loaded even if you have it disabled, this is effectively what tries to hook files so that the AV can scan it first before it runs. With multiple resident AVs all trying to do the same thing these low level device drivers can conflict and lock up your system. A worst case scenario is that you system might lock up on boot and then you really have some problems.

With anti-spyware (AS) applications you should use the same principal only one resident AS, these don’t clash with AVs. You can have additional on-demand AS applications as back-up scanners, in the same way you can have on-demand AVs to do back-up scans.

I don’t think you’ll have problems updating before or after. If you want a suggestion, after you’re sure you’re clean.

Conflicts, problems, troubles, messes…

Depends, which are you about to use?

Thank you David and Tech.

Tech, I currently have:
Lavasoft- Ad-Aware
Spybot- S&D
Spyware Terminator
SpywareBlaster

I regularly use Spybot (a few times a week) and Ad-Aware (once a week or so). The others maybe 2x a month.

Don’t worth… bad detection rates.

Hi
I’ll try and go through your posts in order from my last post
so read the whole thing as there may be updates along the way :slight_smile:

NOrton
I did not see that you removed and ran the norton uninstaller so for now Do NOT DO THAT
You have uninstalled avast and avira
run this
www.avast.com/eng/avast-uninstall-utility.html
then go here
http://www.pchell.com/virus/uninstallantivir.shtml
do this
What if Windows Security Center Shows AntiVir or other muliple Antivirus products installed
then
run the AntiVir Registry Cleaner
in this case do not check the Norton / symantec boxes but avast and antivir avg etc

Report Back Is your current version the only Norton you have had on this machine
no oldie moldies - I’m guessing that Norton was pre-installed
Norton may be a bloated resouce hog but for now it’s Your bloated resource hog and we do not want to rock the boat
if for some reason Norton gets borked due to all of this clean up activity you can reinstall it or run the remover and install avast you can keep the norton firewall (have you updated since you reinstalled?

Now since you are no longer an avast user see you later
just kidding this is a user driven forum welcome to avast

we’ll look at the logs in a minute

Big thanks to Charlie O
Let’s not update IE yet but you are correct it does need to be up to date and protected as if it is installed at all it can be vulnerable

sounds like Kazza is not installed just some files on D go ahead and delete the file and folder
(unless it shows up in the MBAM or Spybot scans)

you do not have to pause norton but would not hurt to disconnect from internet and pause when running spybot/ MBAM and especially if running an on line AV scan like Kaspersky

I think the question about more than one AV program has been answered
for the time being do not worry about running more than one AV or AS/AM on demand scan- we are worried about “start on boot” type installed programs

I think that CharlieO, Tech, and DavidR have pretty well covered the details but if any other questions please ask
I’ll be looking for the Kaspersky and MBAM logs
going to look at spybot logs willpost back in a few
YOu are doing great

Just saw the last two posts- I had the thread up on another window
Ad-aware will not hurt anything - did you run a scan?
you may remove cookies with Spybot or ad-aware but do not include them in posts
removing will clean up the removal process so I have no problem with your doing it-
Now if ad-aware did find anything please let me know

If you ran a spyware terminator scan and it found anything please post- did you update?
ST is the only program you have with real time anti spyware features
one is all you get
SO

Spybot
did you install t-timer?
if you did
go to upper left Mode>advanced>tools>resident and uncheck t-timer
please check -as T-timer can interfere with removal activities- that’s what it does- prevents changes

do you know what the files in the avast chest were?
if baddies would be nice to know but via con dios

And what about the services running in background and drivers being load at boot time…
For what? For cookies detection?
I think it does not worth nowadays…

DEfinately not worth it but not on the critical path
I do not want him to uninstall if he has current items besides cookies in quarantine
he could turn off all load at boot things like auto update and the tray table thingie and use it for on demand but no real benefit
I’v only rarely had it find anything in the last year
did you answer his question about items in avast chest? are they retrievable?

Now I’ve got it…