zlob trojan help

Hello,

I caught this virus and other generic ones by opening a file disguised as a read-me txt. So far I’ve turned off system restore and rebooted in safe mode then did a thorough scan with avast that took 30 hours. Can anyone help me check if I got rid of the viruses completely? Where would I find the log to help you view it? Also my IE6 keeps hanging now after a google search, did avast deleted a file needed?

It could be that there is another element, zlob can be somewhat persistent.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.

  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

I was installing and uninstalling trying different antivirus programs and no longer have the avast log, unless if it’s still stored in some folder. I tried spydoctor, avg, avast … i think spydoc caught 22 infected files, and i took a picture of the avg, and avast found 5 or so including rootkit.

http://i118.photobucket.com/albums/o106/dakapx/viruslist-1.jpg

Here is the log for a quick scan using superantispy in safe mode:

tiSpyware Scan Log
http://www.superantispyware.com

Generated 10/31/2008 at 04:43 PM

Application Version : 4.21.1004

Core Rules Database Version : 3618
Trace Rules Database Version: 1603

Scan type : Quick Scan
Total Scan Time : 00:12:11

Memory items scanned : 159
Memory threats detected : 0
Registry items scanned : 337
Registry threats detected : 0
File items scanned : 6450
File threats detected : 2

Trojan.Dropper/Gen
C:\DOCUMENTS AND SETTINGS\J\LOCAL SETTINGS\TEMP\129.TMP
C:\DOCUMENTS AND SETTINGS\J\LOCAL SETTINGS\TEMP\12A.TMP

And I ran mbam earlier in normal xp mode:

Malwarebytes’ Anti-Malware 1.30
Database version: 1348
Windows 5.1.2600 Service Pack 2

10/31/2008 3:32:23 PM
mbam-log-2008-10-31 (15-32-23).txt

Scan type: Quick Scan
Objects scanned: 67780
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\J\Local Settings\Temp\111.tmp (Spyware.Passwords) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Temp\11F.tmp (Spyware.Passwords) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Temp\121.tmp (Spyware.Passwords) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Temp\124.tmp (Spyware.Passwords) → Quarantined and deleted successfully.
C:\WINDOWS\k.txt (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Start Menu\Search Online.url (Rogue.Link) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Start Menu\VIP Casino.url (Rogue.Link) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Start Menu\Cheap Pharmacy Online.url (Rogue.Link) → Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-A95.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Temp\myconfig.php (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSxekj.dll (Rootkit.Agent) → Quarantined and deleted successfully.

Let SAS deal with the two files it found 129.tmp and 12a.tmp Or clear your temp locations.

MBAM seems to have cleaned house to a degree, I would suggest you do run it from safe mode also as some might be using something to actually hide malware. If it doesn’t turn anything else up you should be relatively safe to assume you are in the clear, but monitor your system for anything out of the ordinary.

Are you still having the problem with your browser ?

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.

Great News! I’ve ran MBAM again in safe mode and it was a clean scan. Does this virus steal password and information from my computer?
Here is the log file for hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:52 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\J\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM..\Run: [NvCplDaemon] “RUNDLL32.EXE” C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] “nwiz.exe” /install
O4 - HKLM..\Run: [NvMediaCenter] “RUNDLL32.EXE” C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\J\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203895735656
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


End of file - 7071 bytes

Which FREE anti-virus & firewall do you recommend that I should run?

P.S. Yes i’m still having issues with the browser. It just hangs when I perform a google search in IE6. Works fine in chrome and firefox.

http://i118.photobucket.com/albums/o106/dakapx/hang.jpg

I don’t know what virus you refer to re stealing passwords, if it is zlob, that is normally associated with being a downloader and what it downloads could be almost anything.

Your HJT log shows you are still using XP SP2, SP3 not only brings a collation of all security updates since SP2 but a few other things. It also updates IE6 to SP3 version, so I would say you should seriously consider updating to XP SP3.

Your log also shows no avast installed. And it may be that AVG8 anti-virus isn’t fully installed as hijackthis.de analysis site indicates no AV, strange. So you should make up your mind which AV you are going to use and considering your getting help from the avast support forums I would say that is what you should be using.

There are some that consider Bonjour as adware, since I don’t use any Apple products I can’t say if this is an essential service.
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

Also this Viewpoint.
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Other than the above I don’t see anything obvious.

There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

I have safari and itunes installed on my computer. I don’t even know what bonjour service does, so if I remove it will anything crash? No clue what viewpoint manager is related to, is that a codec for watching videos?

I would remove both if it doesn’t effect my comp.

To tell you exactly what they do/are I too would have to use my friend google to find the answers.

Thank you David for all the help. I’ve updated to SP3 and the google search still is not fixed, i might have to install a fresh copy. It seems that viewpoint came along with aol instant messenger, so im not going to mess with that. I installed avast and zone alarm and said it was having some kind of interference so the webshield was disabled.

The free version of zone alarm shouldn’t be a problem it is only the Pro version with its privacy function that can conflict with the web shield. So exactly what version of ZA do you have ?

WEB SHIELD ISSUES - ZONE ALARM - also see bottom of page.
http://www.avast.com/eng/webshield_issues.html

  • Zone Alarm - avast! Web Shield compatibility dialogue - Install/Update Question - YES or NO

If you are using ZoneAlarm Free you should click NO, because privacy features are not present in ZoneAlarm Free this will not turn off web shield transparent mode proxy (Note the avast check should now be able to differentiate between ZA and ZA Pro so you may not see this interface if using ZA free).
Use a text editor and edit the avast4.ini file, the default installation location is C:\Program Files\Alwil Software\Avast4\DATA\avast4.ini (I would advise you copy avast4.ini before editing it, just in case).
If you answered incorrectly, Locate the line containing ZoneAlarmCompatibility= and delete that line (avast will ask again, answer NO) or change the value to =0. Save the edited avast4.ini file.

If you are using ZoneAlarm Pro and Privacy Control in ZoneAlarm is set to High and if you click YES in avast compatibility dialogue box the transparent mode proxy in web shield will be turned off you have to manually configure browser to access internet. To manually configure your browser watch instructional video

For IE - broadband users: - Tutorial - Web Shield Proxy Set-up for IE
For IE - dialup users - Tutorial - Web Shield Proxy Set-up for IE (Dial-up)
For Firefox users - Tutorial - Web Shield Proxy Set-up for Firefox
Opera Users - Tools> Preferences> Advanced> Network> Proxy Servers, see image. E:\Images\CapturedScreenPrint\Opera-WS-Proxy-Settings.gif

I d/l the trial pro version. Switched to the free version and problem fixed. thanks again.

You’re welcome.

:slight_smile: Hi Klum :

Regarding “Bonjour/mDNSResponder” : Would recommend you read the Info at www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/ to read WHAT this does and Removal
Instructions IF interested !?

Based on the “Comments” on that Site, an unnecessary “port” is opened on
your computer that malware could come through .

Edit : More Info is in the Post i wrote at http://forum.avast.com/index.php?topic=39186.msg328959;topicseen#msg328959 .