zlob virus

Does anyone know a good fix for the zlob virus. I know there are many variants but this is nasty to say the least. Even after wiping the hard drive…it is still there. Yikes.

And…my system restore is turned off.

Avast finds this>

;******
;Avast! Antivirus U3 Edition
;VPS file version: January 24, 2007 - [0706-1]
;Params: C:\ Scan: Full files, All files, Ignore targeting, Archive: ARJ, MIME, EXE, ZIP, Stream, RAR, CAB, GZ, TAR,
;Columns: File name Status [OK,INFECTED,ERROR]
;******
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp ERROR: Archive is password protected.
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp ERROR: Archive is password protected.
;--------------------------
;Files: 60359
;Folders: 1379
;Files size: 2648709331
;Infected files: 0
;--------------------------
;******
;End of scan

I “deleted” this items and have even uninstalled Ad-aware to no avail. I have ran smitfraud.exe to clean the registry. Before I did that the above file was logging zlob in the Ad-aware when Avast was finished.

Here is my hjt log>

Logfile of HijackThis v1.99.1
Scan saved at 11:56:21 AM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Application Data\U3\0000060510096701\LaunchPad.exe
C:\Documents and Settings\Administrator\Application Data\U3\0000060510096701\1F30627F-0195-44d4-8C24-1999F3C02C50\Exec\AvastU3.exe
C:\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe
O4 - HKLM..\Run: [Comodo Firewall] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

Thanks in advance.

Files target as ‘ERROR: Archive is password protected’ aren’t infected. They’re password protected and avast can’t manage a password protected archive (nor other antivirus do this: they should know the password to open and scan the file).
They’re clean files from Lavasoft that protect its archive files with a password.
Look at the bottom of the log: Infected files: 0
Why do you think you’re still infected?

The Zlob Trojan usually installs some sort of scam anti-spyware software.

SmitFraudFix seems to be updated more often than SmitRem.

http://siri.geekstogo.com/SmitfraudFix.php

Rogue remover is also worth a try.

http://www.malwarebytes.org/rogueremover.php

Finding signs of malware in Ad-Aware temp files may just be a detection by avast! of Ad-Aware’s virus signatures. I think I remember seeing something mentioned about this on the forum. I’ll see if I can find it…

See here for example:

http://forum.avast.com/index.php?topic=25173.0

:slight_smile: Hi Dallas :

 Zlob is NOT a virus; it is best handled by experienced, trained, volunteer Malware Experts usually
 found on antiSPYWARE Support Forums, such as the Ad-Aware oriented one at
 www.landzdown.com   OR the Spybot one at http://forums.spybot.info .

My bad zlob trojan. I got it fixed, I hope. The reason I knew I was infected was the way my mouse was hesitating making me pick it up and shake it, lol. Plus every time I cleaned my temp files they were bigger than normal in my mozilla profile folder.

Now, it did jam something in adaware as I stated before that avast was finding the errors in adaware and the zip files were named with something like zlobactivexobject (about a half dozen files). Now I am getting a clean call from avast, no adaware alerts.

I used several rootkit detection and removals since last night and slowly, little by little have driven all the bad files out…it appears.

Thanks everyone for the input.