J_D

Hi

Today my brother managed to get his computer infected. He was on the net when he was asked to install a Active X control which he unwisely did and since then his homepage was changed and was presented with numerous adds etc but also his System tray now showed a new icon which is there all the time flashing and tells him about system detected virus activity etc. the balloon info and icon are supposed to look like a Windows security centre notification, but when you click on the balloon info speech bubble you are sent to a website (www.anti-vermins.com) and are invited to download their antivirus protection, which he thankfully has not done, because on Further research this would have made his system very open to hackers etc.

Anyway I’ve spent quite a bit of time on it because it was in a bad way.

I firstly I ran his antivirus, Norton internet security scan which showed up nothing, but then my brother decided to tell me its been out of date since last June so no wonder it didn't pick anything up!!.

Because I am pretty anti Norton, I decided to get rid of his ageing 2005 version and replaced it with Kaspersky

On a full system scan with an up-to-date kaspersky antivirus, I found 47 items, here is a copy of these items: which I have deleted

Protection
----------
Total scanned: 72483
Detected: 47
Untreated: 0
Start time: 06/01/2007 19:46:51
Duration: 00:50:07


Detected
--------
Status Object
------ ------
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\isamini.exe
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\isamonitor.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\pmsngr.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\Program Files\Video ActiveX Object\pmmon.exe//PE_Patch//UPack
not found: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\PROGRAM FILES\VIDEO ACTIVEX OBJECT\ISADDON.DLL//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc Running module: isamonitor.exe\isamonitor.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc Running module: isamini.exe\isamini.exe
not found: Trojan program Trojan-Downloader.Win32.Zlob.awu File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019751.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.atn File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0007
deleted: Trojan program Trojan-Downloader.Win32.Zlob.awu File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP225\A0019769.exe//PE_Patch.UPX//UPX//data0008
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022453.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022454.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022455.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjb File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022464.exe//PE_Patch.UPX//UPX//stream//data0006
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022479.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022480.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022481.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022495.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022496.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022497.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022510.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022511.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022512.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bdi File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022520.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022527.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022528.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022529.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022546.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022547.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022548.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022570.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022571.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022572.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022586.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022587.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022588.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022995.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022996.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP285\A0022997.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023095.dll//PE_Patch
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023096.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023097.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023106.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023107.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.bjc File: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP287\A0023108.exe//PE_Patch//UPack
deleted: Trojan program Trojan-Downloader.Win32.Zlob.ask File: C:\Documents and Settings\Ray\My Documents\Download Files\keycodec.912.exe//UPX//data0007
deleted: adware not-a-virus:AdWare.Win32.Comet.ac File: C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll

After I had cleared these up I did a reboot. Everything seemed fine apart from the System tray notification thing.

I have had a look at msconfig startup files, I found nothing suspicious

I have used "BT yahoo Antispy" (it was on the system already so I might as well give it a go
That found the following:


I am currently scanning with Windows Defender. This has detected Zlob.

So far everything is back normal apart from the system tray notification icon see image:


I really don’t know how to get rid of that could anyone please help
Cheers

Additional info about problem that I have found:
http://www.daniweb.com/techtalkforums/thread66091.html

__________________
4 Year old "Tiny" PC
OS: Microsoft Windows Xp SP2
MoBo: MSI P4MAM-V/L (socket 478)
CPU: Intel Celeron D 320 @ 2.4Ghz
RAM: 2x512Mb DDR PC2700
GPU: Nvidia Geforce 7600GT 256Mb AGP
PSU: 300 Watt "Generic"
HDD: 200GB
Optical 1: Sony DVD-ROM DDU1613
Optical 2: VOM-12E48X (DVD-RW)

Buzz1927

Let's have a look at what's left on the machine.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

__________________
The Grim Reaper - Son of Glyndwr
"To Hell or Connacht" may you burn in Hell tonight!

J_D

Hi

Thanks Buzz

Here is the report from SmitFraudFix

SmitFraudFix v2.132

Scan done at 11:16:24.68, 07/01/2007
Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Ray\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Ray\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Video ActiveX Object\ FOUND !
C:\Program Files\VideoKeyCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c238 7-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

__________________
4 Year old "Tiny" PC
OS: Microsoft Windows Xp SP2
MoBo: MSI P4MAM-V/L (socket 478)
CPU: Intel Celeron D 320 @ 2.4Ghz
RAM: 2x512Mb DDR PC2700
GPU: Nvidia Geforce 7600GT 256Mb AGP
PSU: 300 Watt "Generic"
HDD: 200GB
Optical 1: Sony DVD-ROM DDU1613
Optical 2: VOM-12E48X (DVD-RW)

Buzz1927

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

__________________
The Grim Reaper - Son of Glyndwr
"To Hell or Connacht" may you burn in Hell tonight!

J_D

Hi

Thanks Buzz it all seems clear now!!

here is the report of the clean:

SmitFraudFix v2.132

Scan done at 12:16:36.82, 07/01/2007
Run from C:\Documents and Settings\Ray\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c238 7-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\gwquvw.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\gwquvw.dll -> Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Video ActiveX Object\ Deleted
C:\Program Files\VideoKeyCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Thanks again

__________________
4 Year old "Tiny" PC
OS: Microsoft Windows Xp SP2
MoBo: MSI P4MAM-V/L (socket 478)
CPU: Intel Celeron D 320 @ 2.4Ghz
RAM: 2x512Mb DDR PC2700
GPU: Nvidia Geforce 7600GT 256Mb AGP
PSU: 300 Watt "Generic"
HDD: 200GB
Optical 1: Sony DVD-ROM DDU1613
Optical 2: VOM-12E48X (DVD-RW)

Buzz1927

That did it

__________________
The Grim Reaper - Son of Glyndwr
"To Hell or Connacht" may you burn in Hell tonight!