win32:Zlob-BVB - Found in Mozilla Profile

Last night I did a Avast! virus scan and encountered the following warning:

Sign of “Win32:Zlob-BVB [trj]” has been found in “C:\Documents and Settings\John Baum\Local Settings\Temp\h7oo2vpz.exe” file.

I quarantined it.

I found no mention of the string “h7oo2vpz” when I ran HijackThis this morning.

  1. Do I need to do more than the quarantine to be free of this trojan.

  2. I keep the On-Access Scanner running at ‘almost’ all times, disabling it only to install new software that insists that no other programs be running when the install is executed. These usually insist on a reboot after installation. In any case, I shut down every evening for the night. Should I have expected it to block installation of this trojan? If not, why not?

  3. I find no reference to “h7oo2vpz” in Google and/or Google Groups. Is every instance of this trojan given a new name?

  4. I do not find much that is useful when I search Google for “win32:Zlob-BVB.” Where can I learn about the damage this trojan can do?

  5. Is there any way to determine when this trojan was inserted into my system?

Thanks,

baumgrenze

  1. Being a Trojan the combined anti-spyware element of avast I believe will also remove the registry entry that would run it. So I guess that is why it doesn’t feature in the HJT log file.

  2. I wouldn’t disable avast whilst installing software, think about it when would you most want protection, when software is installed. I take with a huge pinch of salt requests from software that states you should disable your AV. I ask myself what is it that they are doing thay makes them ask for an AV to be disabled.

  3. The file name looks randomly generated so I wouldn’t expect to find much/anything about it.

  4. Do your search on the family, win32:zlob and you will get an idea of what the family does. The issue is one of malware naming, e.g. there is no standardisation in naming so it may differ from AV to AV.

  5. This is a hard one, being in a temp folder (now getting more common as a malware location) and not say the internet temp, where you could reasonably say where it might have come from.

Hallo baumgrenze,

Step 1 : Use Windows File Search Tool to Find Zlob Path

  1. Go to Start > Search > All Files or Folders.
  2. In the “All or part of the the file name” section, type in “Zlob” file name(s).
  3. To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
  4. When Windows finishes your search, hover over the “In Folder” of “Zlob”, highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete Zlob in the following manual removal steps.

Step 2 : Use Windows Task Manager to Remove Zlob Processes

  1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
  2. Click on the “Image Name” button to search for “Zlob” process by name.
  3. Select the “Zlob” process and click on the “End Process” button to kill it.
  4. Remove the “Zlob” processes files:
  5. msmsgs.exe nvctrl.exe msmsgs.exe nvctrl.exe

msmsgs.exe
nvctrl.exe
msmsgs.exe
nvctrl.exe

Step 3 : Use Registry Editor to Remove Zlob Registry Values

  1. To open the Registry Editor, go to Start > Run > type regedit and then press the “OK” button.
  2. Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
  3. To delete “Zlob” value, right-click on it and select the “Delete” option.
  4. Locate and delete “Zlob” registry entries:
  5. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogonShell=explorer.exe, msmsgs.exe
    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogonShell=explorer.exe, msmsgs.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe

Step 4 : Use Windows Command Prompt to Unregister Zlob DLL Files

  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.
  2. Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the Zlob DLL file is located and press the “Enter” button on your keyboard. If you don’t know where Zlob DLL file is located, use the “dir” command to display the directory’s contents.
  3. To unregister “Zlob” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u Zlob.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file.
  4. Search and unregister “Zlob” DLL files:
  5. uimcu.dll antzozc.dll dtjby.dll

uimcu.dll
antzozc.dll
dtjby.dll

Step 5 : Detect and Delete Other Zlob Files

  1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.
  2. Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
  3. To change directory, type in “cd name_of_the_folder”.
  4. Once you have the file you’re looking for type in “del name_of_the_file”.
  5. To delete a file in folder, type in “del name_of_the_file”.
  6. To delete the entire folder, type in “rmdir /S name_of_the_folder”.
  7. Select the “Zlob” process and click on the “End Process” button to kill it.
  8. Remove the “Zlob” processes files:
  9. uimcu.dll antzozc.dll dtjby.dll dumpserv.com zxserv0.com vnp7s.net Protect RSA ncompat.tlb msvol.tlb hp.tmp msmsgs.exe dumpserv.com nvctrl.exe zxserv0.com vnp7s.net %UserProfile%\Application Data\Microsoft\Protect %UserProfile%\Application Data\Microsoft\Crypto\RSA ncompat.tlb msvol.tlb hp.tmp

uimcu.dll
antzozc.dll
dtjby.dll
dumpserv.com
zxserv0.com
vnp7s.net
Protect
RSA
ncompat.tlb
msvol.tlb
hp.tmp
msmsgs.exe
dumpserv.com nvctrl.exe
zxserv0.com
vnp7s.net
%UserProfile%\Application Data\Microsoft\Protect
%UserProfile%\Application Data\Microsoft\Crypto\RSA
ncompat.tlb
msvol.tlb
hp.tmp

polonus