Dowwner.Zlob

[Supafly]

Howzit everyone,

All right got this thing, my own fault hey it happens. So I have followed the tute and I think we are all good, here are the requested logs.


SmitFraudFix v2.110

Scan done at 15:08:18.62, Thu 19/10/2006
Run from C:\Documents and Settings\Big Kev\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\VideosCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

[Supafly]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:54:50 PM 19/10/2006

+ Scan result:



HKU\S-1-5-21-1659004503-413027322-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44D22A64-2399-4EDF-8B32-F2C729C1E8A7} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
HKU\S-1-5-21-1659004503-413027322-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D869742A-E5D2-4624-96C7-AAE26170665E} -> Adware.HQVideoCodec : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121210.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121211.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121212.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121221.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121222.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121223.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121240.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121241.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP439\A0121242.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP443\A0121773.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP443\A0121774.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP443\A0121775.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121798.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121799.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121802.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121807.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121813.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121818.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121826.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121835.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121841.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121846.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121852.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP445\A0121855.exe -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP446\A0121881.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP447\A0121927.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP448\A0121929.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F0B9574C-33BC-467B-90E1-D7F4ADB79857}\RP448\A0121951.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
C:\hijack this\backups\backup-20061019-140208-632.dll -> Downloader.Zlob.apu : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.14:C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\fjh267md.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.20:C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\fjh267md.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.30:C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\fjh267md.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.31:C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\fjh267md.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.637:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.41:C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\fjh267md.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.413:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.414:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.415:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.416:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.417:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.94:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.21:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.453:C:\Documents and Settings\Big Kev\Application Data\Mozilla\Firefox\Profiles\3q42we3q.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.36:C:\Documents and Settings\Fran\Application Data\Mozilla\Firefox\Profiles\fjh267md.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

[Supafly]

Logfile of HijackThis v1.99.1
Scan saved at 9:06:31 PM, on 19/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\locator.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\hijack this\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wa.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wa.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



OK so I think thats all, Even if all is OK can I still get a response please.

Many Thanks

[Supafly]

Nudge and the title should read Downloader.ZLOB, but hey dodgey typing skills and no editing, oh well.

[LonnyRJones]

Looks ok Supafly
Are there any current problems ?

[Supafly]

Thanks for the reply, most seems OK, system still feels sluggish, but havent really been using it since i cleared this up, been using the lappy. Am going to run a a couple of full system checks and will let you know.

Cheers again.

[LonnyRJones]

Still ok ?

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

[tashi]

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.