Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of "load Zip Error" Pop-up. What Do I Do?


  • Please log in to reply
10 replies to this topic

#1 endswell

endswell

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 24 September 2008 - 10:36 PM

I think one of my kids brought a trojan horse virus in from Myspace. I have run AdAware, Spybot and Anti-malware a number of times, which seemed to get rid of the primary issue (the trojan notice) but I can't seem to get rid of the small window that says "Load ZIP erro" showing up in the center of my screen, and on my menu bar. Any suggestions as to how to fix?

Thanks

BC AdBot (Login to Remove)

 


#2 endswell

endswell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 24 September 2008 - 11:12 PM

Sorry, forgot to mention that I am running XP.

I ran Malwarebytes' Anti-Malware, and here is the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 3

9/24/2008 11:10:46 PM
mbam-log-2008-09-24 (23-10-46).txt

Scan type: Quick Scan
Objects scanned: 74789
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\pphc7t6j0et8n.exe (Trojan.FakeAlert) -> Delete on reboot.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 PM

Posted 24 September 2008 - 11:45 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948894

Would you run ATFcleaner and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#4 endswell

endswell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 25 September 2008 - 07:05 AM

I ran ATF from safe mode and ran SAS as the instructions indicated, then rebooted. SAS found some items, but when I rebooted, there was no scan log file in SAS. It was empty. I repeated the entire process (1hour+ for the scan) and same thing: some items found and corrected by SAS, but nothing in the log file after it autmatically rebooted. How can I get to the log file?

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 PM

Posted 25 September 2008 - 09:17 AM

In safe mode did you log in to your regular login or the hidden administrator?

Always login to your profile

All logins from safe mode will be administrator-enabled/powered with xp

http://www.bleepingcomputer.com/forums/ind...st&p=955614

Let's try a different program from safe mode, go over the log directions carefully

DrWeb Cureit

Edited by DaChew, 25 September 2008 - 09:17 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 endswell

endswell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 25 September 2008 - 06:52 PM

Thanks for the replies, Chewy. I appreciate your help. You were correct - I logged-in as "Administrator" in safe mode, but used my regular log-in after reboot. Thanks for the explanation.

I ran DrWeb-CureIt, and her is the DrWeb.csv report:

.tt2.tmp.vbs;C:\Documents and Settings\Alex\Local Settings\Temp;Trojan.ResetSR;Deleted.;
Hpqdirec.exe;C:\Program Files\HP\Digital Imaging\bin;Trojan.DownLoader.origin;Incurable.Moved.;
A0003382.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7;Trojan.Fakealert.1264;Deleted.;
A0004386.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7;Trojan.Fakealert.1264;Deleted.;
A0004394.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7;Trojan.Fakealert.1264;Deleted.;
A0004401.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7;Trojan.DownLoader.origin;Incurable.Moved.;

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 PM

Posted 25 September 2008 - 07:25 PM

This is elusive and puzzling, being a relatively untrained helper, I try to intercept the easier to cure infections and sort of the non infections

Let's keep digging, MBAM is such a new program it won't pick up older infections

Let's try SDFix, this is more powerful but also more complicated

http://www.bleepingcomputer.com/forums/ind...st&p=948242
Chewy

No. Try not. Do... or do not. There is no try.

#8 endswell

endswell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 25 September 2008 - 08:22 PM

I ran SDFix, and upon reboot, I still get the "Load ZIP error" on my computer.

Here is the SDFix Log:

SDFix: Version 1.229
Run by Dan on Thu 09/25/2008 at 07:57 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Dan\Application Data\Microsoft\Internet Explorer\Quick Launch\Videos.url - Deleted
C:\WINDOWS\system32\3.tmp - Deleted
C:\WINDOWS\system32\PfModNT.sys - Deleted





Removing Temp Files

#9 endswell

endswell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 26 September 2008 - 08:40 PM

I hope I'm not jinxing myself, but I seem to have corrected the problem, and want to pass this along in case anyone else is having trouble with ths same Trojan. I used SmitfraudFix, and ran it from Safe Mode as it instructs. Seems to have done the trick.

Any suggestions on what to run on an on-going basis to prevent this kind of thing from happening again?

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 PM

Posted 26 September 2008 - 08:46 PM

Smitfraudfix was a good choice, would you post that log for our benefit
Chewy

No. Try not. Do... or do not. There is no try.

#11 endswell

endswell
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:47 PM

Posted 26 September 2008 - 09:02 PM

Here's the SmitfraudFix log file:

SmitFraudFix v2.354

Scan done at 17:41:03.65, Fri 09/26/2008
Run from C:\Documents and Settings\Dan\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


AntiXPVSTFix



RK


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0F939134-9413-4E59-99AA-2D2874F87399}: DhcpNameServer=192.168.0.1 205.171.3.26


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning

Registry Cleaning not selected.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users