Infected With Xp Antivirus 2008; Trojan-downloader.win32.zlob.drh

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Infected With Xp Antivirus 2008; Trojan-downloader.win32.zlob.drh, need assistance removing

Options

OldTimer View Member Profile	Jul 20 2008, 05:40 PM Post #2
Malware Expert Group: HJT Team Posts: 10,983 Joined: 28-January 05 From: Holland Michigan USA Member No.: 10,782	Hello sethra_lavode and welcome to BC. Let's see what we can find. Follow the steps below in order: Before running a new scan let's clean out the temporary folders. Download ATF Cleaner to your Desktop. Double-click ATF-Cleaner.exe to run the program. Click Select All found at the bottom of the list. Click the Empty Selected button. If you use Firefox browser, do this also: Click Firefox at the top and choose Select All from the list. Click the Empty Selected button. NOTE : If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser, do this also: Click Opera at the top and choose Select All from the list. NOTE : If you would like to keep your saved passwords, please click No at the prompt. Close ALL Internet browsers (very important). Click the Empty Selected button. Click Exit on the Main menu to close the program. Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop. Note: You must be logged on to the system with an account that has Administrator privileges to run this program. Close ALL OTHER PROGRAMS. Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator). In the Drivers section click on Non-Microsoft. Under Additional Scans click the checkboxes in front of the following items to select them: Reg - BotCheck File - Additional Folder Scans Do not change any other settings. Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Save the file to your desktop or other location where you can find it back. Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post). Cheers. OT -------------------- I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive. OldTimer

sethra_lavode View Member Profile	Jul 21 2008, 11:05 AM Post #3
New Member Group: Members Posts: 3 Joined: 16-July 08 Member No.: 223,235	Thanks for the reply. I have done as you suggested, and I will attempt to attach the file, but I am not seeing a button to allow me to make the attachment, so I am going to add the reply and hope that it allows me to add the attachment.

OldTimer View Member Profile	Jul 21 2008, 03:59 PM Post #4
Malware Expert Group: HJT Team Posts: 10,983 Joined: 28-January 05 From: Holland Michigan USA Member No.: 10,782	Hi sethra_lavode. There should be 2 buttons directly under the window where your response is typed. Use the Brosw button to located the file on the machine and teh Upload button to attach it to the posting. Cheers. TO -------------------- I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive. OldTimer

sethra_lavode View Member Profile	Jul 22 2008, 09:36 AM Post #5
New Member Group: Members Posts: 3 Joined: 16-July 08 Member No.: 223,235	For some reason I did not have the attachment box when using Firefox, but I do have it in Explorer. So, I am attaching the file. Thanks for your assistance. Attached File(s) OTScanIt.Txt ( 285.19k ) Number of downloads: 3

OldTimer View Member Profile	Jul 22 2008, 10:14 AM Post #6
Malware Expert Group: HJT Team Posts: 10,983 Joined: 28-January 05 From: Holland Michigan USA Member No.: 10,782	Hi sethra_lavode. Let's see what we can do. Follow the steps below in order: First, it appears that there are multiple anti-virus applications running on this computer(Alwil and Symantec). Running more than 1 anti-virus application at the same time can cause file access and resource issues and if there is an infection the multiple programs can actually block each other from dealing with the infected file(s). Choose which application you want to keep and uninstall the other one(s) to prevent these problems. Step #1 Please download The Avenger by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): CODE Files to delete: %systemroot%\system32\clbinit.dll c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat Folders to delete: %appdata%\rhcn83j0e96u %systemroot%\system32\931928 Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Now, start The Avenger program by clicking on its icon on your desktop. Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V). Click the Execute button Answer "Yes" twice when prompted. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. Step #2 Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button. CODE [Kill Explorer] [Unregister Dlls] [Registry - Non-Microsoft Only] < Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YN -> ~EmptyValue -> [] < ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks YN -> {84C53226-C282-41FE-A4B4-8F05CC5EC24B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [] < SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler YN -> {7999c5e2-b500-4ba5-8e9a-99639eca65fc} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [celtiberi] < Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ YN -> iifeddCs -> < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar YN -> {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] YN -> {A9C00446-CA14-4EF3-AACB-723AE6634D61} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] YN -> {C7768536-96F8-4001-B1A2-90EE21279187} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] < Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ YN -> ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] YN -> ShellBrowser\\{C7768536-96F8-4001-B1A2-90EE21279187} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] YN -> WebBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] YN -> WebBrowser\\{C7768536-96F8-4001-B1A2-90EE21279187} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] < Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ YN -> {08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console] YN -> {E2D4D26B-0180-43a4-B05F-462D6D54C789}: [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Connection Help] < Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ YN -> CmdMapping\\{5E638779-1818-4754-A595-EF1C63B87A56} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] < DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ YN -> {1EB4CA0A-0B75-4EEA-B38E-D563400F35A5} -> 85.255.116.122,85.255.112.169 (Realtek RTL8139/810x Family Fast Ethernet NIC) YN -> {892900FC-9814-4488-99C0-81491C1EE93D} -> 85.255.116.122,85.255.112.169 (HP EN1207D-TX PCI 10/100 Fast Ethernet Adapter) YN -> {EC8BA7A5-BD9B-439A-BD4A-F7A1563412EA} -> 85.255.116.122,85.255.112.169 (1394 Net Adapter) [Registry - Additional Scans - Non-Microsoft Only] < BotCheck > -> YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YServer.exe -> %ProgramFiles%\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe::Enabled:Yahoo! FT Server] YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\DISC\DISCover.exe -> %ProgramFiles%\DISC\DISCover.exe [C:\Program Files\DISC\DISCover.exe::Enabled:DISCover Drop & Play System] YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\DISC\DiscStreamHub.exe -> %ProgramFiles%\DISC\DiscStreamHub.exe [C:\Program Files\DISC\DiscStreamHub.exe::Enabled:DISCover Stream Hub] YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\DISC\myFTP.exe -> %ProgramFiles%\DISC\myFTP.exe [C:\Program Files\DISC\myFTP.exe::Enabled:DISCover FTP] [Files/Folders - Created Within 30 days] NY -> 931928 -> %SystemRoot%\System32\931928 NY -> 9 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp NY -> clbinit.dll -> %SystemRoot%\System32\clbinit.dll NY -> 1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp [Files Created - Additional Folder Scans - Non-Microsoft Only] NY -> rhcn83j0e96u -> %AppData%\rhcn83j0e96u [Files/Folders - Modified Within 30 days] NY -> 931928 -> %SystemRoot%\System32\931928 NY -> 9 C:\WINDOWS\System32\.tmp files -> C:\WINDOWS\System32\.tmp NY -> clbinit.dll -> %SystemRoot%\System32\clbinit.dll NY -> 1 C:\WINDOWS\.tmp files -> C:\WINDOWS\.tmp NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat [Files Modified - Additional Folder Scans - Non-Microsoft Only] NY -> rhcn83j0e96u -> %AppData%\rhcn83j0e96u [Empty Temp Folders] [Start Explorer] The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply. If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply. Step #3 Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two. Run the F-Secure Online Scanner Note: This Scanner is for Internet Explorer Only! Click on Online Services and then Online Scanner Accept the License Agreement. Once the ActiveX installs,Click Full System Scan Once the download completes,the scan will begin automatically. The scan will take some time to finish,so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and Copy&Paste the entire report in your next reply. If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer The program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Step #4 Run a new OTScanIt scan with the following options (Do NOT use Scan All Uses). Note: You must be logged on to the system with an account that has Administrator privileges to run this program. Close ALL OTHER PROGRAMS. Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator). Under Additional Scans click the checkboxes in front of the following items to select them: Reg - BotCheck File - Additional Folder Scans Do not change any other settings. Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary). Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located. Attach that file back here in your next reply. Step #5 Copy/paste the following back here in your next reply: The Avenger report (c:\Avenger.txt) The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. ) The online virus scan report (whichever one you ran) Attach the following back here in your next reply: The new OTScanIt scan log I will review the information when it comes back in. Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer. Cheers. OT -------------------- I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive. OldTimer

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21st November 2009 - 01:29 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides