Zlob.Downloader Problem

If you can't remove that item from your registery with the cleaner I posted for you, I have no other suggestions.

Thanks
 
Hi Shrek.

We will confer about the problem so please wait until input is gathered.

Cheers.
 
Thanks guys................Here is the LOG

Start Time= Thu 08/17/2006 0:29:15.98
Running from: C:\Documents and Settings\Jeffrey A. Porter\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2063-09-19 01:50:50 5501 ( A.... ) "C:\WINDOWS\SYSTEM32\rtclmg32.dll"
2006-08-17 00:28:36 683 ( A.... ) "C:\Combo.bat"
2006-08-09 12:03:54 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-08-09 12:03:54 ( .D... ) "C:\Documents and Settings\Jeffrey A. Porter\Application Data\PC Tools"
2006-08-08 13:20:30 ( .D... ) "C:\Program Files\LexmarkX83"
2006-08-07 03:21:04 ( .D... ) "C:\Program Files\Trend Micro"
2006-08-07 02:56:54 146432 ( A.... ) "C:\WINDOWS\regedit.exe"
2006-08-07 01:17:16 ( .D... ) "C:\Documents and Settings\Jeffrey A. Porter\Application Data\VisualZone"
2006-08-07 01:17:06 ( .D... ) "C:\Program Files\VisualZone"
2006-07-28 09:30:32 236824 ( A.... ) "C:\WINDOWS\SYSTEM32\xactengine2_3.dll"
2006-07-28 09:30:14 62744 ( A.... ) "C:\WINDOWS\SYSTEM32\xinput1_2.dll"
2006-07-27 09:24:46 679424 ( A.... ) "C:\WINDOWS\SYSTEM32\inetcomm.dll"
2006-07-25 15:38:40 ( .D... ) "C:\Program Files\APDL"
2006-07-21 04:24:44 72704 ( A.... ) "C:\WINDOWS\SYSTEM32\hlink.dll"
2006-07-14 11:31:40 332288 ( A.... ) "C:\WINDOWS\SYSTEM32\netapi32.dll"
2006-07-13 09:33:28 8453632 ( A.... ) "C:\WINDOWS\SYSTEM32\shell32.dll"
2006-07-05 06:55:02 984064 ( A.... ) "C:\WINDOWS\SYSTEM32\kernel32.dll"
2006-06-26 13:37:10 148480 ( A.... ) "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "C:\WINDOWS\SYSTEM32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-06-19 12:53:20 10368 ( A.... ) "C:\WINDOWS\SYSTEM32\wowexec.exe"
2006-06-18 21:44:38 33280 ( A.... ) "C:\WINDOWS\SYSTEM32\rundll32.exe"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINDOWS\SYSTEM32\vsdatant.sys"
2006-06-18 17:54:26 83960 ( A.... ) "C:\WINDOWS\SYSTEM32\zlcomm.dll"
2006-06-18 17:54:26 71672 ( A.... ) "C:\WINDOWS\SYSTEM32\zlcommdb.dll"
2006-06-18 17:54:24 59384 ( A.... ) "C:\WINDOWS\SYSTEM32\vswmi.dll"
2006-06-18 17:54:22 440312 ( A.... ) "C:\WINDOWS\SYSTEM32\vsutil.dll"
2006-06-18 17:54:22 71672 ( A.... ) "C:\WINDOWS\SYSTEM32\vsregexp.dll"
2006-06-18 17:54:20 268280 ( A.... ) "C:\WINDOWS\SYSTEM32\vspubapi.dll"
2006-06-18 17:54:20 157688 ( A.... ) "C:\WINDOWS\SYSTEM32\vsinit.dll"
2006-06-18 17:54:20 104440 ( A.... ) "C:\WINDOWS\SYSTEM32\vsmonapi.dll"
2006-06-18 17:54:18 83960 ( A.... ) "C:\WINDOWS\SYSTEM32\vsdata.dll"
2006-06-17 23:51:50 ( .D... ) "C:\Program Files\Common Files\L&H"
2006-06-17 23:48:26 ( .D... ) "C:\Program Files\Common Files\Designer"
2006-06-11 13:41:24 100344 ( ..... ) "C:\WINDOWS\SYSTEM32\vsxml.dll"
2006-06-11 13:41:10 796584 ( A.... ) "C:\WINDOWS\SYSTEM32\libeay32_0.9.6l.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\SYSTEM32\xactengine2_2.dll"
2006-05-25 16:17:14 497488 ( A.... ) "C:\WINDOWS\SYSTEM32\XceedZip.dll"
2006-05-21 18:10:10 126976 ( A.... ) "C:\WINDOWS\SYSTEM32\zip.exe"
2006-05-19 08:59:42 111616 ( A.... ) "C:\WINDOWS\SYSTEM32\dhcpcsvc.dll"
2006-05-19 08:59:42 94720 ( A.... ) "C:\WINDOWS\SYSTEM32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))




(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
 
Sorry guys......been out of town........matter of fact I will be gone for another 7 after about 5PM EST as well. But here is the latest info you wanted :) Thanks again for your help.......

Start Time= 2006-08-29 1:33:44.56
Running from: C:\Documents and Settings\Jeffrey A. Porter\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2063-09-19 01:50:50 5501 ( A.... ) "C:\WINDOWS\SYSTEM32\rtclmg32.dll"
2006-08-28 23:29:38 ( .D... ) "C:\Program Files\Registry Mechanic"
2006-08-09 12:03:54 ( .D... ) "C:\Program Files\Spyware Doctor"
2006-08-09 12:03:54 ( .D... ) "C:\Documents and Settings\Jeffrey A. Porter\Application Data\PC Tools"
2006-08-08 13:20:30 ( .D... ) "C:\Program Files\LexmarkX83"
2006-08-07 03:21:04 ( .D... ) "C:\Program Files\Trend Micro"
2006-08-07 02:56:54 146432 ( A.... ) "C:\WINDOWS\regedit.exe"
2006-08-07 01:17:16 ( .D... ) "C:\Documents and Settings\Jeffrey A. Porter\Application Data\VisualZone"
2006-08-07 01:17:06 ( .D... ) "C:\Program Files\VisualZone"
2006-07-28 09:30:32 236824 ( A.... ) "C:\WINDOWS\SYSTEM32\xactengine2_3.dll"
2006-07-28 09:30:14 62744 ( A.... ) "C:\WINDOWS\SYSTEM32\xinput1_2.dll"
2006-07-27 09:24:46 679424 ( A.... ) "C:\WINDOWS\SYSTEM32\inetcomm.dll"
2006-07-25 15:38:40 ( .D... ) "C:\Program Files\APDL"
2006-07-21 04:24:44 72704 ( A.... ) "C:\WINDOWS\SYSTEM32\hlink.dll"
2006-07-14 11:31:40 332288 ( A.... ) "C:\WINDOWS\SYSTEM32\netapi32.dll"
2006-07-13 09:33:28 8453632 ( A.... ) "C:\WINDOWS\SYSTEM32\shell32.dll"
2006-07-05 06:55:02 984064 ( A.... ) "C:\WINDOWS\SYSTEM32\kernel32.dll"
2006-06-26 13:37:10 148480 ( A.... ) "C:\WINDOWS\SYSTEM32\dnsapi.dll"
2006-06-26 13:37:10 8192 ( A.... ) "C:\WINDOWS\SYSTEM32\rasadhlp.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\SYSTEM32\WgaLogon.dll"
2006-06-19 12:53:20 10368 ( A.... ) "C:\WINDOWS\SYSTEM32\wowexec.exe"
2006-06-18 21:44:38 33280 ( A.... ) "C:\WINDOWS\SYSTEM32\rundll32.exe"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINDOWS\SYSTEM32\vsdatant.sys"
2006-06-18 17:54:26 83960 ( A.... ) "C:\WINDOWS\SYSTEM32\zlcomm.dll"
2006-06-18 17:54:26 71672 ( A.... ) "C:\WINDOWS\SYSTEM32\zlcommdb.dll"
2006-06-18 17:54:24 59384 ( A.... ) "C:\WINDOWS\SYSTEM32\vswmi.dll"
2006-06-18 17:54:22 440312 ( A.... ) "C:\WINDOWS\SYSTEM32\vsutil.dll"
2006-06-18 17:54:22 71672 ( A.... ) "C:\WINDOWS\SYSTEM32\vsregexp.dll"
2006-06-18 17:54:20 268280 ( A.... ) "C:\WINDOWS\SYSTEM32\vspubapi.dll"
2006-06-18 17:54:20 157688 ( A.... ) "C:\WINDOWS\SYSTEM32\vsinit.dll"
2006-06-18 17:54:20 104440 ( A.... ) "C:\WINDOWS\SYSTEM32\vsmonapi.dll"
2006-06-18 17:54:18 83960 ( A.... ) "C:\WINDOWS\SYSTEM32\vsdata.dll"
2006-06-11 13:41:24 100344 ( ..... ) "C:\WINDOWS\SYSTEM32\vsxml.dll"
2006-06-11 13:41:10 796584 ( A.... ) "C:\WINDOWS\SYSTEM32\libeay32_0.9.6l.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\SYSTEM32\xactengine2_2.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2063-09-19 01:50 5,501 C:\WINDOWS\system32\rtclmg32.dll
2006-08-28 23:29 24,576 C:\WINDOWS\system32\STKIT432.DLL
2006-08-09 15:55 62,744 C:\WINDOWS\system32\xinput1_2.dll
2006-08-09 15:55 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-08-09 15:55 236,824 C:\WINDOWS\system32\xactengine2_3.dll
2006-08-09 15:55 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-08-09 15:55 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-08-09 15:55 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-08-09 15:54 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-08-09 15:54 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-08-09 15:54 2,337,488 C:\WINDOWS\system32\d3dx9_25.dll
2006-08-09 15:54 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-08-09 15:54 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-08-09 15:54 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-08-09 15:54 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-08-09 15:54 2,222,800 C:\WINDOWS\system32\d3dx9_24.dll
2006-08-09 15:54 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-08-08 20:03 1,072,775,168 C:\hiberfil.sys
2006-08-08 13:22 299,520 C:\WINDOWS\uninst.exe
2006-08-08 13:21 86,016 C:\WINDOWS\unvise32.exe
2006-08-08 13:20 4,672 C:\WINDOWS\system32\LXASUSCI.DLL
2006-08-08 13:20 33,792 C:\WINDOWS\system32\LXASUSCI.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"MoneyStartUp10.0"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"AHQInit"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"siService.exe"="\"C:\\Program Files\\Sunbelt Software\\iHateSpam\\siService.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Lexmark X83 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe"
"Lexmark X83 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"RegistryMechanic"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Disabled]
"Lexmark X83 Button Manager"="C:\\PROGRA~1\\LEXMAR~1\\AcBtnMgr_X83.exe"
"DIAGENT"="C:\\Program Files\\Creative\\SBLive\\Creative Diagnostics 2.0\\DIAGENT.EXE startup"
"nwiz"="nwiz.exe /install"
"Lexmark X83 Button Monitor"="C:\\PROGRA~1\\LEXMAR~1\\ACMonitor_X83.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\"\""
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Disabled]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveAutoRun"=dword:00000fc0

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"="regperf.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kazaa"
"hkey"="HKLM"
"inimapping"="0"

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job

Completion time: 2006-08-29 1:34:06.35
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-17.002915.txt
ComboFix.2006-08-29.013344.txt
 
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
Code: 
REGEDIT4
;
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
;
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Let us know of any problems
 
It was done............should I run a Spybot Search and Destroy scan?

I appreciate your help and will let you know if there are any other problems...........

Thanks guys (girls).......lol
 
When you ran the reg file did you get a succeed message ?
Are you familur with regedit ?
If so delete the bolded value below
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"wininet.dll"="regperf.exe"
 
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).
 
Last edited:
I tried to modify the registry and it says Error:unable to modify values....

It stops me from the modification...........I ran a new S+D scan and the problem is still there......
 
If your comfortable working in the registry
rightclick on run the run just after explorer\policy
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run
choose permisions, hilight administrator and put a check next to allow, do that for system to, ensure run is selected again right click and choose delete

If your not comfortable we can just ignore it, it is only a leftover and can couse no harm.
 
THAT DID IT..I want thank you and your staff for ALL the time needed to take care of this problem. Thanks again !!!!!!!!:bigthumb:
 
You must log in or register to reply here.
Back
Top