Options

having problems with trojan.zlob please help!!

Unknown
edited June 2006 in Spyware & Virus Removal
my norton antivirus keeps finding the trojan.zlob virus. also my avg virus scanner has found two trojan.zlob.afd in files as well. this computer is in german to make things worse, but we will ignore that for now. so please help me if you can.

Comments

  • chiazchiaz
    edited June 2006
    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
  • itakomi_fantan
    edited June 2006
    my antivirus did detect something. it said that it detected getpath.vbs is this safe?
  • itakomi_fantan
    edited June 2006
    here is my smit fraud thing. sorry about the lack of trust. i ran the smitfraud and it found that winitit down at the bottom. i ran this in normal mode. the earlier post worried me because i couldnt read it because it was in german.


    SmitFraudFix v2.64

    Scan done at 9:53:45.78, Fri 06/23/2006
    Run from C:\Dokumente und Einstellungen\Anke\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\Anke\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»»


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="Die derzeitige Homepage"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
  • chiazchiaz
    edited June 2006
    I noticed you posted a duplicate thread:
    http://www.short-media.com/forum/showthread.php?t=47447
    I have notified a moderator to close it. Please keep to this thread for your current malware problems.



    It seems that the zlob infection is not present, or it has been quarantined. Please launch HijackThis and place a checkmark by the following entries:
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
    O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://stream.pussyharem.com/stream/mmp.cab
    Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.


    * Clean your Cache and Cookies in IE:
    • Close all instances of Outlook Express and Internet Explorer
    • Go to Control Panel > Internet Options > General tab
    • Click the "Delete Cookies" button
    • Next to it, Click the "Delete Files" button
    • When prompted, place a check in: "Delete all offline content", click OK
    * Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
    • Go to Tools > Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.
    * Clean other Temporary files + Recycle bin
    • Go to start > run and type: cleanmgr and click ok.
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.



    Now please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
    Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
    • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
    • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
    • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
    • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
    • Under "Please select a target to scan:", click My Computer to start the scan.
    When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.
  • itakomi_fantan
    edited June 2006
    here is my problem. i followed all the steps. once i got to the kaspersky it would not delete the virus. it wouldnt allow me to select them. i dont know why it didnt because i use kaspersky at my home all of the time. i followed all other instruction. oh and the virus scanner found 1 virus with 4 infected files. should i go in and delete them by hand? the infected files were volume information. now the virus has become something new. i think that zlob is gone. here is the new virus that it says is in here. Trojan-Downloader.Win32.IstBar.nn
  • chiazchiaz
    edited June 2006
    Please post the entire log here, so I can see exactly where the file paths are.
  • itakomi_fantan
    edited June 2006
    KASPERSKY ON-LINE SCANNER REPORT
    Friday, June 23, 2006 9:13:22 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.78.0
    Kaspersky Anti-Virus database last update: 23/06/2006
    Kaspersky Anti-Virus database records: 190198

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    G:\

    Scan Statistics:
    Total number of scanned objects: 71870
    Number of viruses found: 1
    Number of infected objects: 4
    Number of suspicious objects: 0
    Duration of the scan process: 00:57:43

    Infected Object Name / Virus Name / Last Action
    C:\System Volume Information\_restore{B5D457D4-C6A3-462F-9034-2FC950B89028}\RP11\A0000835.exe/stream/data0004 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
    C:\System Volume Information\_restore{B5D457D4-C6A3-462F-9034-2FC950B89028}\RP11\A0000835.exe/stream Infected: Trojan-Downloader.Win32.IstBar.nn skipped
    C:\System Volume Information\_restore{B5D457D4-C6A3-462F-9034-2FC950B89028}\RP11\A0000835.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{B5D457D4-C6A3-462F-9034-2FC950B89028}\RP11\A0000835.exe UPX: infected - 2 skipped

    Scan process completed.

    i wish to thank you for all of you trouble. you have been awesome.
  • chiazchiaz
    edited June 2006
    Congratulations! Your computer appears clean, except for the harmless remnants in System Restore. We will clear them now.


    Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore. Click to add a check mark beside Turn off System Restore on all Drives, and click Apply. When you are warned that all existing Restore Points will be deleted, click Yes to continue. All system restore points are deleted. Now you should manually create a restore point. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
    Click Create a Restore Point, and then click Next. Name your restore point. (I use the date as well as a descriptive term such as "Clean system.")



    Here are a number of recommendations for additional protection to help prevent any malware infections in the future. These few simple steps can stave off the vast majority of spyware problems.

    You may have already taken some of these steps:
    1. Watch what you download!
    Do not download just anything you see on the web. Some may have spyware bundled into them.

    2. Try not to use peer-to-peer programs.
    P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read this article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

    3. Visit Windows Update:
    Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
    Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
    We recommend checking for Windows updates monthly.

    4. Adjust your security settings for ActiveX:
    Go to Internet Options/Security/Internet, press 'default level', then OK.
    Now press "Custom Level."
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

    So why is ActiveX so dangerous that you have to increase the security for it?
    When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
    Would you run just any random file downloaded off a web site without knowing what it is and what it does?

    5. Download and install the following free programs:
    a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
    b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
    Periodically check for updates.

    6. Keep your antivirus software up to date. If you don't have one, I recommend the free AVG.

    7. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm
    A tutorial on understanding and using firewalls may be found here

    8. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.


    9. You might consider installing Mozilla / Firefox, which is much safer than Internet Explorer.
    http://www.mozilla.org/

    10. Install spyware detection and removal programs:
    Ad-aware: http://www.snapfiles.com/get/adaware.html
    Spybot S&D:
    http://www.safer-networking.org
    Use these programs to regularly scan your system for and remove many forms of spyware/malware.

    11. Microsoft now offers their own anti-spyware product. Windows® Defender (Beta 2) improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC. This is a BETA for XP/2000 only.

    12. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
    If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

    Let us know if we have not resolved your problem. Otherwise, you are good to go.
    Happy and Safe Surfing! :D
  • itakomi_fantan
    edited June 2006
    dude. yall are awesome. thank you so much. i had trouble finding the restore shutoff but that is because the german version of microsoft is setup a little different. this one doesnt even have a my computer on the desktop. anyway, thank you so much for your help. i did find the shutoff after a while. i just had to translate everything. i have actually downloaded avg along with norton and ewido. norton doesnt like to let other programs back in. see ya
Sign In or Register to comment.