System Alert!! Fake! Re: anti-vermins.com

J_D · 01-06-2007, 10:51 PM

Hi

Today my brother managed to get his computer infected. He was on the net when he was asked to install a Active X control which he unwisely did and since then his homepage was changed and was presented with numerous adds etc but also his System tray now showed a new icon which is there all the time flashing and tells him about system detected virus activity etc. the balloon info and icon are supposed to look like a Windows security centre notification, but when you click on the balloon info speech bubble you are sent to a website (www.anti-vermins.com) and are invited to download their antivirus protection, which he thankfully has not done, because on Further research this would have made his system very open to hackers etc.

Anyway I’ve spent quite a bit of time on it because it was in a bad way.

I firstly I ran his antivirus, Norton internet security scan which showed up nothing, but then my brother decided to tell me its been out of date since last June so no wonder it didn't pick anything up!!.

Because I am pretty anti Norton, I decided to get rid of his ageing 2005 version and replaced it with Kaspersky

On a full system scan with an up-to-date kaspersky antivirus, I found 47 items, here is a copy of these items: which I have deleted

Protection
----------
Total scanned: 72483
Detected: 47
Untreated: 0
Start time: 06/01/2007 19:46:51
Duration: 00:50:07

Detected
--------
Status Object
------ ------
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\isamini.exe
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\isamonitor.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\pmsngr.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\pmmon.exe//PE_Patch//UPack
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\PROGRAM FILES\VIDEO ACTIVEX OBJECT\ISADDON.DLL//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc Running module: isamonitor.exe\isamonitor.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc Running module: isamini.exe\isamini.exe
not found: Trojan program Trojan-Downloader.Win32.Zlob.awu File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019751.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.atn File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0007
deleted: Trojan program Trojan-Downloader.Win32.Zlob.awu File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0008
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022453.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022454.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022455.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjb File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022464.exe//PE_Patch.UPX//UPX//stream//data0006
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022479.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022480.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022481.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022495.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022496.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022497.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022510.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022511.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022512.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bdi File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022520.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022527.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022528.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022529.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022546.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022547.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022548.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022570.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022571.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022572.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022586.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022587.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022588.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022995.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022996.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022997.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023095.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023096.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023097.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023106.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023107.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023108.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.ask File: C:\Documents and Settings\Ray\My Documents\Download Files\keycodec.912.exe//UPX//data0007
deleted: adware not-a-virus:AdWare.Win32.Comet.ac File: C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll

After I had cleared these up I did a reboot. Everything seemed fine apart from the System tray notification thing.

I have had a look at msconfig startup files, I found nothing suspicious

I have used "BT yahoo Antispy" (it was on the system already so I might as well give it a go
That found the following:

I am currently scanning with Windows Defender. This has detected Zlob.

So far everything is back normal apart from the system tray notification icon see image:

I really don’t know how to get rid of that could anyone please help
Cheers

Additional info about problem that I have found:
http://www.daniweb.com/techtalkforums/thread66091.html

**Buzz1927** · 01-06-2007, 10:55 PM

Let's have a look at what's left on the machine.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

J_D · 01-07-2007, 12:19 PM

Hi

Thanks Buzz

Here is the report from SmitFraudFix

SmitFraudFix v2.132

Scan done at 11:16:24.68, 07/01/2007
Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ray\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Video ActiveX Object\ FOUND !
C:\Program Files\VideoKeyCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c238 7-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

**Buzz1927** · 01-07-2007, 12:21 PM

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

J_D · 01-07-2007, 01:32 PM

Hi

Thanks Buzz it all seems clear now!!

here is the report of the clean:

SmitFraudFix v2.132

Scan done at 12:16:36.82, 07/01/2007
Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c238 7-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\gwquvw.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\gwquvw.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Video ActiveX Object\ Deleted
C:\Program Files\VideoKeyCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks again

**Buzz1927** · 01-07-2007, 01:36 PM

That did it

01-06-2007, 10:51 PM	#1 (permalink)
J_D Gold Member Join Date: Dec 2006 Location: Sussex, England Age: 20 Posts: 281	System Alert!! Fake! Re: anti-vermins.com Hi Today my brother managed to get his computer infected. He was on the net when he was asked to install a Active X control which he unwisely did and since then his homepage was changed and was presented with numerous adds etc but also his System tray now showed a new icon which is there all the time flashing and tells him about system detected virus activity etc. the balloon info and icon are supposed to look like a Windows security centre notification, but when you click on the balloon info speech bubble you are sent to a website (www.anti-vermins.com) and are invited to download their antivirus protection, which he thankfully has not done, because on Further research this would have made his system very open to hackers etc. Anyway I’ve spent quite a bit of time on it because it was in a bad way. I firstly I ran his antivirus, Norton internet security scan which showed up nothing, but then my brother decided to tell me its been out of date since last June so no wonder it didn't pick anything up!!. Because I am pretty anti Norton, I decided to get rid of his ageing 2005 version and replaced it with Kaspersky On a full system scan with an up-to-date kaspersky antivirus, I found 47 items, here is a copy of these items: which I have deleted Protection ---------- Total scanned: 72483 Detected: 47 Untreated: 0 Start time: 06/01/2007 19:46:51 Duration: 00:50:07 Detected -------- Status Object ------ ------ not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\isamini.exe not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\isamonitor.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\pmsngr.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\pmmon.exe//PE_Patch//UPack not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\PROGRAM FILES\VIDEO ACTIVEX OBJECT\ISADDON.DLL//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc Running module: isamonitor.exe\isamonitor.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc Running module: isamini.exe\isamini.exe not found: Trojan program Trojan-Downloader.Win32.Zlob.awu File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019751.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.atn File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0007 deleted: Trojan program Trojan-Downloader.Win32.Zlob.awu File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0008 deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022453.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022454.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022455.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjb File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022464.exe//PE_Patch.UPX//UPX//stream//data0006 deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022479.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022480.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022481.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022495.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022496.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022497.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022510.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022511.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022512.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bdi File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022520.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022527.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022528.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022529.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022546.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022547.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022548.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022570.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022571.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022572.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022586.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022587.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022588.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022995.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022996.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022997.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023095.dll//PE_Patch deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023096.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023097.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023106.exe deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023107.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023108.exe//PE_Patch//UPack deleted: Trojan program Trojan-Downloader.Win32.Zlob.ask File: C:\Documents and Settings\Ray\My Documents\Download Files\keycodec.912.exe//UPX//data0007 deleted: adware not-a-virus:AdWare.Win32.Comet.ac File: C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll After I had cleared these up I did a reboot. Everything seemed fine apart from the System tray notification thing. I have had a look at msconfig startup files, I found nothing suspicious I have used "BT yahoo Antispy" (it was on the system already so I might as well give it a go That found the following: I am currently scanning with Windows Defender. This has detected Zlob. So far everything is back normal apart from the system tray notification icon see image: I really don’t know how to get rid of that could anyone please help Cheers Additional info about problem that I have found: http://www.daniweb.com/techtalkforums/thread66091.html __________________ 4 Year old "Tiny" PC OS: Microsoft Windows Xp SP2 MoBo: MSI P4MAM-V/L (socket 478) CPU: Intel Celeron D 320 @ 2.4Ghz RAM: 2x512Mb DDR PC2700 GPU: Nvidia Geforce 7600GT 256Mb AGP PSU: 300 Watt "Generic" HDD: 200GB Optical 1: Sony DVD-ROM DDU1613 Optical 2: VOM-12E48X (DVD-RW)

01-06-2007, 10:55 PM	#2 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 7,582	Let's have a look at what's left on the machine. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm __________________ Son of Glyndwr Mae hen wlad fy nhadau yn annwyl i mi

01-07-2007, 12:19 PM	#3 (permalink)
J_D Gold Member Join Date: Dec 2006 Location: Sussex, England Age: 20 Posts: 281	Hi Thanks Buzz Here is the report from SmitFraudFix SmitFraudFix v2.132 Scan done at 11:16:24.68, 07/01/2007 Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ray\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\Video ActiveX Object\ FOUND ! C:\Program Files\VideoKeyCodec\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler] "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl" [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c238 7-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="wbsys.dll" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End __________________ 4 Year old "Tiny" PC OS: Microsoft Windows Xp SP2 MoBo: MSI P4MAM-V/L (socket 478) CPU: Intel Celeron D 320 @ 2.4Ghz RAM: 2x512Mb DDR PC2700 GPU: Nvidia Geforce 7600GT 256Mb AGP PSU: 300 Watt "Generic" HDD: 200GB Optical 1: Sony DVD-ROM DDU1613 Optical 2: VOM-12E48X (DVD-RW)

01-07-2007, 12:21 PM	#4 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 7,582	You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log. The report can also be found at the root of the system drive, usually at C:\rapport.txt __________________ Son of Glyndwr Mae hen wlad fy nhadau yn annwyl i mi Last edited by Buzz1927; 01-07-2007 at 01:29 PM.

01-07-2007, 01:32 PM	#5 (permalink)
J_D Gold Member Join Date: Dec 2006 Location: Sussex, England Age: 20 Posts: 281	Hi Thanks Buzz it all seems clear now!! here is the report of the clean: SmitFraudFix v2.132 Scan done at 12:16:36.82, 07/01/2007 Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler] "{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl" [HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c238 7-7f80-4022-9be6-43630a969558}\InProcServer32] @="C:\WINDOWS\system32\gwquvw.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\gwquvw.dll -> Hoax.Win32.Renos.gen.i C:\WINDOWS\system32\gwquvw.dll -> Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\Program Files\Video ActiveX Object\ Deleted C:\Program Files\VideoKeyCodec\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End Thanks again __________________ 4 Year old "Tiny" PC OS: Microsoft Windows Xp SP2 MoBo: MSI P4MAM-V/L (socket 478) CPU: Intel Celeron D 320 @ 2.4Ghz RAM: 2x512Mb DDR PC2700 GPU: Nvidia Geforce 7600GT 256Mb AGP PSU: 300 Watt "Generic" HDD: 200GB Optical 1: Sony DVD-ROM DDU1613 Optical 2: VOM-12E48X (DVD-RW)

01-07-2007, 01:36 PM	#6 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 7,582	That did it __________________ Son of Glyndwr Mae hen wlad fy nhadau yn annwyl i mi

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Intel vs. AMD.... what do you prefer?	McG	CPUs and Overclocking	30	09-07-2009 02:23 PM
Can't run System Restore	bobtheninja	Operating Systems	7	11-06-2005 02:47 AM
$2000 for a Gaming System	NewComputer	Desktop Computers	9	10-13-2005 02:50 AM
Parsytec PowerXplorer	Daminc	Desktop Computers	7	03-24-2005 09:38 AM
avg anti virus system help	marty	General Computer Chat	6	09-25-2004 04:17 PM