Please help S&D found trojan zlob.downloader.rid

[Dakeyras]

Hi

My computer is running faster now, so it seems. I am not having an other issues.

Very good

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 12 second(s)

Something not quite right here from the header portion of the MBAM log, it appears only one object was scanned. We will run another scan again shortly.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please go here and download ERUNT.
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Right click on erunt-setup and select Run as Administrator to Install ERUNT by following the prompts.
• Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
• Make sure that at least the first two check boxes are selected.
• Click on OK
• Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Next:

Please download OTM to your Desktop.

• Right-click OTM and select Run as Administrator to start the program.
• Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):

Code:

:Files
C:\Windows\isRS-000.tmp
C:\ProgramData\Lavasoft
C:\Program Files\BitTorrent
C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\User_Feed_Synchronization-{79361395-0D53-497C-8192-6F5E25754E66}.job
C:\Windows\tasks\User_Feed_Synchronization-{CAACC397-F4F0-48C7-8319-F29547275CAE}.job

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_CLASSES_ROOT\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"=-

:Commands
[EmptyTemp]
[Reboot]

• Return to OTM, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
• Then click the red MoveIt! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Repair File Extensions:

Download System Repair Engineer

Scroll down to System Repair Engineer 2.7.1.1261 and click on the Local Download button to do so.

• Extract it to Desktop and right-click SREng.exe and select Run as Administrator.
• Select System Repair from the left pane.
• Click on File Association
• Select all entries that has an Error status click [Repair]
• Refer to this image for an example:
  
  
• Close SREng now.

Malwarebytes Anti-Malware:

Note: Remember to right click MBAM and select Run As Administrator

• Launch the application, Check for Updates >> Perform a Quick Scan
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following:

• Inform myself how your computer is running. Any problems encountered and or further symptoms?
• OTM Log.
• Malwarebytes Anti-Malware Log.
• A new RSIT Log.

[butterflybrooke]

Ok, I downloaded this but I am having issues with the following

"Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish."

It will not allow me to say no it says that I have to put in a file location. Thoughts?

ButterflyBrooke

[Dakeyras]

Hi

OK re-download the erunt-setup.exe file and try again please.

Make sure to right-click on the setup file and run in admin mode. If unable to install per the instructions for some reason, what you mentioned will be acceptable and we can remove the start-up at a later date.

[butterflybrooke]

Ok, the ERDNT froze up it just said it was not responding. I couldnt do anything so I had to turn off the computer. When I turned it back on it was blue. It did that twice, and finally i was able to bring up but it had this error message in a box


Unable to create file:
C:\\Windows\ERDNT\AutoBackup\8-2-2009\ERDNT.INF
Registry backup will continue, but no restore information for the ERDT program will be saved. This means that later restoration of the registry can only be done manually, by using another OS to back up the files.

[Dakeyras]

Hi

OK what you posted indicates to myself that the Registry on your computer is corrupted/damaged. It is entirely feasible that the Vista RegBack folder is compromised also and we may be unable to make use of the 6 files in the aforementioned folder but no harm trying.

We will need the Windows Vista DVD that came with your computer to so as follows.

Repair Vista Registry:

• Bootup your computer from the Vista DVD.
• If not sure how to, a very good tutorial can be read here
• You will have to answer a few basic questions then select the option Repair your computer
• At the the System Recovery Options screen click Windows Vista to highlight then Next>
• Now click on/select Command Prompt
• At the Command Prompt type in the following exactly:-
  
  CD C:\Windows\System32\Config
  
  
• and hit the Enter key, now type in:-
  
  REN system system.old
  
  
• and hit the Enter key, now type in:-
  
  COPY C:\Windows\System32\config\RegBack\System
  
  
• Now remove your Windows Vista DVD from the CD Drive, now type in:-
  
  Exit
  
  
• Hit the Enter key, back at the the System Recovery Options screen click Restart and your computer should boot-up as normal.

Let myself know the outcome and or if any problems encountered, thank you.

[butterflybrooke]

Hi

Sorry it has taken me a few days, I moved a month ago and just today found the box with my original CD for the computer but only found my paper work for the HP Vista, anything else I can do without the original CD? I have no idea where else it could be?

[Dakeyras]

Hi

Sorry it has taken me a few days, I moved a month ago and just today found the box with my original CD for the computer but only found my paper work for the HP Vista, anything else I can do without the original CD? I have no idea where else it could be?

Not a problem.

OK we do need to use the Vista DVD, so hopefully you will be able to locate it and or borrow one from a friend maybe?

One other alternative is to create a Recovery Disk to use instead. However we cannot use your own computer as a source for obvious reasons. Plus all I seem to be able to locate so far is torrents and I certainly do not want you to download one of them, otherwise the potential for re-infecting your computer is too grave a risk. So both these avenues are definitely a no go area.

Try your best to find the DVD and or borrow one. You may be able to have another Vista DVD sent if you kept proof or purchase etc from when you originally acquired the PC but that depends on where/whom you actually purchased from.

[Dakeyras]

Hi

Do you still require assistance?

[Dakeyras]

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.