Last night I did a Avast! virus scan and encountered the following warning:
Sign of “Win32:Zlob-BVB [trj]” has been found in “C:\Documents and Settings\John Baum\Local Settings\Temp\h7oo2vpz.exe” file.
I quarantined it.
I found no mention of the string “h7oo2vpz” when I ran HijackThis this morning.
-
Do I need to do more than the quarantine to be free of this trojan.
-
I keep the On-Access Scanner running at ‘almost’ all times, disabling it only to install new software that insists that no other programs be running when the install is executed. These usually insist on a reboot after installation. In any case, I shut down every evening for the night. Should I have expected it to block installation of this trojan? If not, why not?
-
I find no reference to “h7oo2vpz” in Google and/or Google Groups. Is every instance of this trojan given a new name?
-
I do not find much that is useful when I search Google for “win32:Zlob-BVB.” Where can I learn about the damage this trojan can do?
-
Is there any way to determine when this trojan was inserted into my system?
Thanks,
baumgrenze
Hallo baumgrenze,
Step 1 : Use Windows File Search Tool to Find Zlob Path
- Go to Start > Search > All Files or Folders.
- In the “All or part of the the file name” section, type in “Zlob” file name(s).
- To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
- When Windows finishes your search, hover over the “In Folder” of “Zlob”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete Zlob in the following manual removal steps.
Step 2 : Use Windows Task Manager to Remove Zlob Processes
- To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
- Click on the “Image Name” button to search for “Zlob” process by name.
- Select the “Zlob” process and click on the “End Process” button to kill it.
- Remove the “Zlob” processes files:
- msmsgs.exe nvctrl.exe msmsgs.exe nvctrl.exe
msmsgs.exe
nvctrl.exe
msmsgs.exe
nvctrl.exe
Step 3 : Use Registry Editor to Remove Zlob Registry Values
- To open the Registry Editor, go to Start > Run > type regedit and then press the “OK” button.
- Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
- To delete “Zlob” value, right-click on it and select the “Delete” option.
- Locate and delete “Zlob” registry entries:
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogonShell=explorer.exe, msmsgs.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogonShell=explorer.exe, msmsgs.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe
Step 4 : Use Windows Command Prompt to Unregister Zlob DLL Files
- To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
- Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the Zlob DLL file is located and press the “Enter” button on your keyboard. If you don’t know where Zlob DLL file is located, use the “dir” command to display the directory’s contents.
- To unregister “Zlob” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u Zlob.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file.
- Search and unregister “Zlob” DLL files:
- uimcu.dll antzozc.dll dtjby.dll
uimcu.dll
antzozc.dll
dtjby.dll
Step 5 : Detect and Delete Other Zlob Files
- To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.
- Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
- To change directory, type in “cd name_of_the_folder”.
- Once you have the file you’re looking for type in “del name_of_the_file”.
- To delete a file in folder, type in “del name_of_the_file”.
- To delete the entire folder, type in “rmdir /S name_of_the_folder”.
- Select the “Zlob” process and click on the “End Process” button to kill it.
- Remove the “Zlob” processes files:
- uimcu.dll antzozc.dll dtjby.dll dumpserv.com zxserv0.com vnp7s.net Protect RSA ncompat.tlb msvol.tlb hp.tmp msmsgs.exe dumpserv.com nvctrl.exe zxserv0.com vnp7s.net %UserProfile%\Application Data\Microsoft\Protect %UserProfile%\Application Data\Microsoft\Crypto\RSA ncompat.tlb msvol.tlb hp.tmp
uimcu.dll
antzozc.dll
dtjby.dll
dumpserv.com
zxserv0.com
vnp7s.net
Protect
RSA
ncompat.tlb
msvol.tlb
hp.tmp
msmsgs.exe
dumpserv.com nvctrl.exe
zxserv0.com
vnp7s.net
%UserProfile%\Application Data\Microsoft\Protect
%UserProfile%\Application Data\Microsoft\Crypto\RSA
ncompat.tlb
msvol.tlb
hp.tmp
polonus