Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm An Idiot


  • Please log in to reply
15 replies to this topic

#1 ctsmeouwow

ctsmeouwow

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 13 September 2007 - 12:08 AM

Hello. I did something really stupid---downloaded an Active X Control that gave me a zlob trojan and installed virusprotectpro on my pc....I ran spybot and ad-aware numerous times and while it detected the viruses, it did nothing to relieve the symptoms.

My symptoms are a slow internet (downloads at 38KB while my DSL should be 100MB), PC makes a little POP noise every five minutes (I timed it) and then freezes until I hit the curser again, and there is an icon in my task bar that flashes between a red X and a blue question mark. (if you click on it, it takes you to the virus protectpro website) It will not go away and I can't even hide it beyond the next startup. I did do an uninstall on the virusprotectppro program.

I was also having a problem streaming radio but a Microsoft update came down yesterday which seems to have fixed this problem...I am assuming that is what fixed it anyway....could be unrelated but I do not know for sure.

I downloaded and ran Paretologic Anti-Spyware and REGCure but they were of no help whatsoever. They found and got rid of problems that they detected but did nothing for the symptoms.

Anyone who can help me would be MY HERO. I don't know what else to do short of re-installing Windows.

Thanks if you can help.

Carole

Edited by ctsmeouwow, 13 September 2007 - 12:53 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:35 PM

Posted 13 September 2007 - 02:41 PM

Use the Smitfraudfix tool in the link below. Read the directions carefully. Then follow up with the other two programs to remove the malware that accompanies the Smitfraud malware.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

Please let us know the results of the scans.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 14 September 2007 - 11:42 PM

Hello. Thank you so much for your response and your time. I have begun this process by running the smitfraud scan. I will post the results below. I am a little leary to continue after viewing the message I see several times that says "!!!Attention, following keys are not inevitably infected!!!". I just want to make certain that I will not be deleting anything that I need. Please let me know if it is safe to continue and thanks again.

PS---I am also concerned about my ip address that is included in the log below...should I edit that out?

Carole

SmitFraudFix v2.224

Scan done at 21:31:09.00, Fri 09/14/2007
Run from C:\Program Files\America Online 7.0\download\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 7.0\waol.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\zdwii.dll FOUND !

C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://img.x.xpays.com/xpays/girliezoo_special/splash_13.jpg"
"SubscribedURL"="http://img.x.xpays.com/xpays/girliezoo_special/splash_13.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2fdde73c-273e-4e55-84dc-455de06e4866}"="amaretti"

[HKEY_CLASSES_ROOT\CLSID\{2fdde73c-273e-4e55-84dc-455de06e4866}\InProcServer32]
@="C:\WINDOWS\system32\zdwii.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2fdde73c-273e-4e55-84dc-455de06e4866}\InProcServer32]
@="C:\WINDOWS\system32\zdwii.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/100 VE Network Connection #2 - Packet Scheduler Miniport
DNS Server Search Order: 15.60.103.1
DNS Server Search Order: 15.60.103.2

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 205.188.146.145

Description: Intel® PRO/100 VE Network Connection #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{45C9A2A0-FC8A-4A87-A80F-A090DF2702A6}: NameServer=205.188.146.145
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB6BB8B2-B3DE-422E-AB64-3DA40C428741}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{45C9A2A0-FC8A-4A87-A80F-A090DF2702A6}: NameServer=205.188.146.145
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FB6BB8B2-B3DE-422E-AB64-3DA40C428741}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FB6BB8B2-B3DE-422E-AB64-3DA40C428741}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


Scanning for wininet.dll infection


End

#4 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:35 PM

Posted 15 September 2007 - 05:27 AM

If you haven't run option #2 in Smitfraudfix, go ahead and do that. It found the Zlob trojan.

Be sure to follow up with the other two scans, also. Let us know the results.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 15 September 2007 - 06:26 AM

So far so good and that annoying little flashing icon is gone from my task tray...here are the results from the fix and I will follow up with the results from the next steps.

SmitFraudFix v2.224

Scan done at 4:15:32.76, Sat 09/15/2007
Run from C:\Program Files\America Online 7.0\download\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2fdde73c-273e-4e55-84dc-455de06e4866}"="amaretti"

[HKEY_CLASSES_ROOT\CLSID\{2fdde73c-273e-4e55-84dc-455de06e4866}\InProcServer32]
@="C:\WINDOWS\system32\zdwii.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2fdde73c-273e-4e55-84dc-455de06e4866}\InProcServer32]
@="C:\WINDOWS\system32\zdwii.dll"


Killing process


hosts


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\zdwii.dll -> Hoax.Win32.Renos.gen.o
C:\WINDOWS\system32\zdwii.dll -> Deleted


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FB6BB8B2-B3DE-422E-AB64-3DA40C428741}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FB6BB8B2-B3DE-422E-AB64-3DA40C428741}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FB6BB8B2-B3DE-422E-AB64-3DA40C428741}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 15 September 2007 - 07:08 AM

Hello. I downloaded SUPERAntiSpyware.exe but cannot find a way to run it from safe mode. I did a search but all it found was worthless text files. I may very well be missing something (scratching head) but am stumped at this point. Is it okay to run it in normal mode?

Thanks,
Carole

#7 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:35 PM

Posted 15 September 2007 - 08:03 AM

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 15 September 2007 - 08:25 AM

Thanks but I can find and use Safe Mode fine. I can't get Superantispyware.exe to run from there. I can't even find it in Safe mode. Again, it's probably me, but I am stumped.

#9 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:35 PM

Posted 15 September 2007 - 08:50 AM

If you installed Super Antispyware, not just downloaded it in regular mode, then it should appear on your desktop in safe mode.
It is OK to run in regular mode if you cannot do it in safe mode for whatever reason.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#10 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 16 September 2007 - 04:38 PM

Hello. Indeed I did not install but just downloaded the program. So I installed it and then ran it in safe mode. It found 36 adware.tracking cookies and one unknown file called msevnt.exe. These were removed. I then ran bit-defender (will post results below) and had it delete what it found. All my symptoms have vanished now and I could not be more grateful--I really appreciate your time...I'd bake you cookies if I could! :thumbsup:


Here is the short version of the bitdefender results. I did export the detailed results but it saved with all the HTML code so it's tough to read. (I can post that if you want it but didn't want to waste your space). All the errors below were found in temporary, system volume, and intellimover files.

BitDefender Online Scanner - Real Time Virus Report
Generated at: Sun, Sep 16, 2007 - 13:37:58


Scan Info
Scanned Files 209147
Infected Files 20


Virus Detected
Trojan.Zlob.BTF 8
Trojan.Downloader.Dluca.CC 1
Generic.Malware.Yd!sp.2BF82FB4 1
Trojan.Downloader.Agent.LI 2
Trojan.Downloader.Dluca.BE 1
Trojan.Downloader.Small.ID 1
Generic.Malware.Yd!sp.96B9CFA2 1
Generic.Malware.Yd!sp.C6ABDAD9 1
Trojan.Downloader.Dluca.DZ 2
DeepScan:Generic.Zlob.7.AA8CB2A1 2

#11 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:35 PM

Posted 16 September 2007 - 05:09 PM

Glad you got it done! Congrats
If you think you have removed all of the malware, follow the instructions below. I would suggest also that you rerun Super Antispyware after updating and Bit Defender in a couple of days.

You have malware in your system restore points that you can only remove by deleting the restore points. If you ever have to use "system restore" you would get infected again. Instructions for how to do that are in the link below.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

The cookies that your security program(s) find are known as "Third Party Cookies".
You can block those from ever getting on your computer. See the instructions in the link below. This only blocks the advertising/spy cookies. Not the good ones.
http://privacy.getnetwise.org/browsing/tools/ie6/block3

(Carrot Cake is my favorite)

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#12 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 16 September 2007 - 07:37 PM

Okay, done, done and done! SuperAntiSpyware found three more tracking cookies....its like the Keebler &$$#@$& Elves are in there! Anyway, I did block third party cookies and I will run bit defender in a couple days.

Do you have a paypal link I could donate to cause I'd sure like to! Now, if you'll excuse me, I have a carrot cake to bake..... :thumbsup: Thank you sooooooooo much!

Carole

#13 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:35 PM

Posted 16 September 2007 - 08:09 PM

I didn't think you would come thru, so I baked myself a blueberry cobbler this afternoon.
Blocking the third party cookies doesn't remove the ones that were on your computer. If you ran SAS AFTER blocking you should never have another one on your Internet Explorer browser. If you use another browser you will need to block them, too.
There is a button at the top of this page that says "Donate" if you would like to contribute to the site.

By the way, if you have a Honey Baked Ham store in your area try their carrot cake. It is EXCELLENT!

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#14 ctsmeouwow

ctsmeouwow
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 16 September 2007 - 08:25 PM

I ran SuperAntiSpyware after blocking the cookies so I think I killed the elves.

Thanks for the Honey Baked Ham Carrot Cake tip....will definitely try that.

Guess I'll have to eat your carrot cake myself. :thumbsup:

Enjoy your cobbler!

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:35 PM

Posted 17 September 2007 - 03:11 AM

Hey there,

you should also go through this tutorial, since you already did some removal steps on your own: http://www.bleepingcomputer.com/forums/t/98219/how-to-remove-virusprotect-or-virus-protect-removal-instructions/

You should also consider reading here: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ to make sure all is gone from your pc.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users