PDA

View Full Version : Zlobbed?? Again??



pfa11
2008-07-25, 15:04
Hi. Zlob infected my (other) computer a few days ago rendering it inoperable. Spybot S&D generated a bunch of (at least 50) popups warning that zlob (and others) were attempting to change registry values. I unsucessfully re-installled XP Pro.

This is another, loaner machine, running XP Home. During an S&D scan, the scan 'froze' while displaying "Bot scan....zlob..." in S&D's footer. There were a few detected items in the list (2 were "Alexa-related) which were successfully removed. A subsequent S&D scan again showed an Alexa. After the scan, about 4 popups appeared warning of attempted registry changes. I then d/l'ed HJThis. The HJT instructional post says I should update to Windows Svc. Pack 1 (I think). I have Windows "Auto Update" enabled and a popup is appearing prompting me to restart, but I'm afraid.

Pls. help. The machine (loaner computer) seems to be working OK now, but I will await your response. Thank you all very much. HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:44 AM, on 7/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\system32\pctspk.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe
D:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpppt] D:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] D:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {1CAC2F99-A697-4063-8E12-09E92AD7803E} (VPFrame Control) - https://guardian.ozsn.net/GUI/ActiveX/install.cab
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - D:\WINDOWS\system32\pctspk.exe

--
End of file - 2661 bytes

pfa11
2008-07-25, 15:11
PS: I did not see an "Edit" feature in my above post...

I will be leaving for work in 2 1/2 hours and will have no computer access for abt. 14 hours. Thanking the good people here in advance. I will attempt to d/l AGV and run it in the meantime.

Cheers, pfa
----------------------------
Edit:
"PS: I did not see an "Edit" feature in my above post..."


Can I edit my own posts?

In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given. However one can add a post to the thread if necessary.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Blade81
2008-08-02, 09:59
Hi

Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Start hjt, do a system scan, check (if found):
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm (file missing)

Close browsers and fix checked.

Reboot.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.