PDA

View Full Version : Is this Zlob?



dlmillar
2007-09-22, 21:13
Hi All,

I am a newbie to spybot search & destroy but have visited the page several times today in an effort to rid myself of a malware infection. I have found the information here useful, and having made some headway, have felt compelled to join the discussion fora and report my experiences.

The behaviour of my infection seems to be similar to that posted by hands1 in this forum (Search for: Zlob codec) in that the same entry exists for the hijacking IE6 home webpage (see 3, below).

The symptoms are as follows:
1) Irregular behaviour following an invitation to download and install a new video codec.
2) Desktop wallpaper replacement. This is shown as sdw_wall in the list of possible wall papers access through Display Properties | Desktop. The new desktop wallpaper provides a message advising me that my computer is infected. Resetting the wallpaper to your original results in a subsequent 'automatic' resetting to the offending message around 10 seconds later.
3) Hijack of IE6 home page. It is reset to:
http://safe-strip-download.com
4) Several unexpected startups of IE6, pointing to the page above.
5) Creation of a new folder within the program files folder which is called: c:\Program Files\WinMsg
6) This folder contains 3 files:
SW_CONFIG.INI
SWARE.EXE
WALL.BIN
7) SWARE.EXE appears as a new process under the Windows Task Manager.

I have tried several virus/spyware scanners (none of which detected the infection):

Norton Antivirus Corporate Edition
PC Tools Spyware Doctor
Spybot - Search & Destroy
AVG Anti-Spyware 7.5

I also uploaded SWARE.EXE and WALL.BIN to Jotti's online malware scanner and both files passed all tests.

I am about to search my registry for references to these files and attempt a manual disinfection. I will post a further message providing information of these results. At present, this is not a request for help, but could be later on!

dlmillar
2007-09-22, 21:56
This was my solution:

1) Kill the SWARE.EXE process from the process list in Windows Task Manager.

2) Rename the folder
c:\Program Files\WinMsg to
c:\Program Files\WinMsg1

3) Restart

4) Search the registry via RegEdit and removed the reference to SWARE.EXE in:
HKEY_LOCAL_MACHINE\SOTWARE\Microsoft\Windows\CurrentVersion\Run

All appears to be well.

Does anyone want copies of the files in the WinMsg folder for infection tracking? I've spent pretty much the whole day today tracking this one down and fixing.