Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Endless Reboot After Zlob-infection


  • Please log in to reply
17 replies to this topic

#1 pointenoirien

pointenoirien

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 16 July 2008 - 12:05 PM

Hello and greetings from Sweden.

My problems started july 6 when I downloaded what I thought was a videocodec. After trying to fix it and only making it worse, I shut down the computer and have now come back from a short vacation to try to fix it again. I have changed my codes to the bank, but I have a lot of stuff on the computer that I would not want to loose, especially family photos. Luckily, I also have a laptop that Iīm writing from right now.
The infected computer is a P4 2.8 Mhz desktop, 1024 mb ram, 160 Gb harddrive with 3 cd/dvd-drives, that has always been very stable. I have an XP pro Sp2, Panda Titanium 2006 (valid to 2009) (both of which have been continuously updated) and Ad-aware. As far as I know I havenīt had any infection before.
Around 11.30 july 6 I downloaded this malicious "codec" and a popup from the activity bar started to warn me about security problems and urging me to download software. I immediately understood that it was malicious and avoided to click popups, instead shutting them down with ctrl-alt-del. I ran Ad-aware, which found 16 malware items (usually it only finds harmless ones), and I think thats where I saw the name "Win32.TrojandownloaderZlob", or maybe it was written on the ballons from the activity bar. I didnīt have much time then to fix it, so I worked between shutdowns a few more times before the system crashed. Every time I booted up the system, disccheck started and went through the drive and found some broken files. Ad-aware also finally deleted the files it had found in a folder called "Webtechnologies": iebt.dll, iebtm.exe, iebtmm.exe, wcm.exe and wcs.exe; this happened in the beginning of a reboot. After that, I thought the problem was almost fixed. The popups were gone, the fake windows security popup also, (but windows explorer was totally wrecked). Only a little yellow triangle bleeping in the right corner informed me that zlob was still there. After browsing the net, i got the tip to search for files in system 32 changed at the time this happened. I found hkushdr.dll but had no time to fix it then, because i had to go to work. When i came back in the evening to delete this bugger, the computer was cought in an endless reboot.
It goes through the whole start procedure and crashes just before the "user-accounts"-window and then restarts. I can access bios (del) and bootdisk options (F8) at the beginning, and also boot options (F8) later. No boot option works and when I shut off the automatic reboot, the bluescreen message is something like (its in swedish on my computer) "serious system error c000021a the system process windows logon process was unexpectedly terminated with the status 0xc0000135".
At that point Iīm at the limit of my knowledge, and hesitant as to how I should proceed. I have a windows-cd and have been advised both to use the recovery console and the repair function, but donīt know what the problem is. First I thought that there were new commands in the registry trying to load a malware program during startup, and since they fail to initialize (0xc0000135), (since they were removed by Ad-aware) the system crashes. But then I read one of your threads - "Serious Boot Problem, unable to boot after "smitfraud"", I realized that I had made the same mistake as "lightpanther". When trying to reach safe mode at first I didnīt manage to find the F8 command at the right moment, and saw the tip on the net to use MSconfig. As far as I remember, I booted alright into safe mode, after I had already tried Ad-aware in normal mode, but since I didnīt have much time, and the system was very sluggish there, I rebooted back into normal mode, and it was during this reboot that Ad-aware deleted the files. And then I shut down the computer not to be able to get into windows again.
I have read a lot of your threads and been very impressed with the help you have provided to people. Although Iīm just an amateur at computers, I think I know enough to follow your instructions, and I would be very glad to!

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 July 2008 - 12:17 PM

Hi,

One thing before I give you instrutions:
You really can't get into windows anymore?

#3 pointenoirien

pointenoirien
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 17 July 2008 - 03:03 PM

Hello and thanks for the reply.

No I canīt get into windows, but now things have changed considerably. When I couldnīt locate my windows-disc, I decided it was time to become legit, so I bought a licensed xp together with a harddrive.
Sorry for taking up your time, but maybe I could still ask a couple of questions.
My idea is to start a new xp on the new harddrive and then attach the old one to the new system when i have secured it. After retrieving my important files I plan to format it.
Are there any problems with this plan? What are the risks of getting the infection to the new platform? Is there any special preparation I should make?
Would be very grateful for an answer, although the whole topic has changed, I regret. :thumbsup:

Thanks

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2008 - 04:48 AM

When you attach the drive to a clean pc, some malware can copy itself to the clean disk. You can't take preparations for it, it just happens.

What we can do is clean this disk, it's not a disaster that you can't come into windows, there are options we can try, so it will become clean again.
Let me know what you want. :thumbsup:

#5 pointenoirien

pointenoirien
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 18 July 2008 - 08:03 AM

OK letīs do it. Iīm eager to see how it works and to learn something. :thumbsup:
Unfortunately, I can only work with it in the evenings and nights - after 8 pm, swedish time (I think itīs 7 hours before the time on this forum).
But I could prepare for tonight with downloads or whatever. I have access to a good laptop with a pretty fast connection (24 Mbit), right beside my crashed desktop.

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2008 - 08:25 AM

Hi,

Okay, here we go.
You can try to make a Live CD. With this CD you can start windows without using the harddisk, so you can recover all the files you want.
For information and a tutorial, see: http://www.nu2.nu/pebuilder/

So you can save your files now, tell me when you've done that, so we can try to delete the malware. :thumbsup:

#7 pointenoirien

pointenoirien
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 18 July 2008 - 08:57 AM

OK, Iīll do that and be back in around 4 hours. :thumbsup:

#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2008 - 08:58 AM

Ok :thumbsup:

#9 pointenoirien

pointenoirien
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 18 July 2008 - 03:42 PM

Ok, Iīm back. I have a little kid to take care of too.
I downloaded pebuilder and have read about it, but I am a little confused. :thumbsup: Is it possible for me to use this program on the laptop and build from a windows-cd, even if it isnīt exactly the one installed in my crashed computer? My problem is that I am no longer sure if the cd at home is the one installed. I have that one (and I donīt know if it is home or pro - it just says xp) and I now have the legit one i just bought. Can I use any of these?
I will continue to look around for an answer if I donīt get it from you and then get on with copying files. It will take some time though - Iīll get back to you when Iīm ready.
By the way - is KNOPPIX an alternative?

#10 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 July 2008 - 08:08 AM

Hi,

I don't have any experience with knoppix.

When it only sais "Windows XP" it is Windows XP Home edition.

I hope I fully informed you now? :thumbsup:

#11 pointenoirien

pointenoirien
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 19 July 2008 - 05:38 PM

Yes, and thanks.
But it is a strange cd. :thumbsup: When I look into itīs root catalogue it displayes the keys for xp pro, so I think it is after all. And Iīm pretty confident now that it is the one i have installed.
Iīve done some progress now, but a warning: this will propably take some time.
I managed to boot the system with BartsPe, but in the middle of the night I couldnīt really understand the system. I propably should make another cd with some plugins, didnīt get that at first.
Anyway, I will also try Knoppix. I believe It would be easier to understand for me. I have a LOT of material I would like to get off the disk, and Knoppix can write to a usb-drive, which seems to be the fastest way.
Iīll get back when Iīve unloaded my stuff.

#12 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 July 2008 - 03:56 AM

Ok :thumbsup:

#13 pointenoirien

pointenoirien
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 05 August 2008 - 05:32 PM

I am sorry about the long delay, but I simply havenīt had time. Thanks for getting ready to help - this is a great site.
Iīll just end by telling you how it worked out.
I tried Knoppix, and it did wonders for me. It booted up without any problem, and I could backup my files to an external drive. Then I made c writable and started to examine what could be wrong. I noticed that three system dll:s were missing and replaced them (advapi32.dll, comdlg32.dll and imagehlp.dll). Then I deleted the Zlob-dll I had found just before the crash (hkushdr.dll). And then the system started up normally and there was no sign of Zlob. Then I restarted in safemode and ran smitfraudfix. Then I went back to normal mode and restored the system to a point before the infection. And since then (this weekend) there has been no symptoms.
I guess there could still be something, but since I will soon install a new (and this time valid) xp, I donīt want to loose too much sweat over it.
Until next crash - thanks! :thumbsup:

#14 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 06 August 2008 - 05:42 AM

Hi,

I would recommend you to do this, so we can be sure everything is gone:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#15 pointenoirien

pointenoirien
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  

Posted 09 August 2008 - 12:54 PM

Ok, Iīve done what you requested, and the scan found 4 items. Hereīs the report:

===
Malwarebytes' Anti-Malware 1.24
Databasversion: 1036
Windows 5.1.2600 Service Pack 2

19:46:16 2008-08-09
mbam-log-8-9-2008 (19-46-16).txt

Skanningstyp: Snabb skanning
Antal skannade objekt: 45735
Förfluten tid: 10 minute(s), 0 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 1
Infekterade filer: 3

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
C:\WINDOWS\system32\Fonts (Trojan.Agent) -> Quarantined and deleted successfully.

Infekterade filer:
C:\WINDOWS\system32\Fonts\ACADEMY_.PFB (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Fonts\ACADEMY_.PFM (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Fonts\ACADEMY_.TTF (Trojan.Agent) -> Quarantined and deleted successfully.
===

Sorry itīs in swedish, but I guess you can decifer it.
So this is a pretty good anti-malware program?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users