Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Zlob? Please Help!


  • Please log in to reply
13 replies to this topic

#1 lowender

lowender

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 30 September 2008 - 12:40 PM

Hello folks,

Apologies if this has come up before but I have tried my best (have spent most of the day in fact) to try and find an answer to this but to no avail.

Currently running XP on an AMD machine (Athlon and 1.2 processor I think) at 768meg ram (sorry for the haziness as I usually use another computer more at the moment and my problem, which I am just about to share, is making it difficult getting into the system area of the cpu). On it I run AVG Antivirus and Zonealarm Firewall.

Today I have, and it would seem rather foolishly, downloaded the following file..

Setup_ver1.1856.0

which when doing a google search brings up only a couple of Virscan.org hits and relates it to a Trojan zlob (?).

I tried deleting it but couldn't. I then went into the Command Prompt and managed to get rid of it from there. Unfortunately it has not fixed the problem following in any way..

Symptoms are.. taskbar changes from XP's usual to classic mode, all icons on my desktop turn blue (as if being selected), disappear and then the computer restarts. (typing shutdown -a as found in another thread does not stop this - occasionally delays it slightly though).

If I try and run my anti-virus (AVG) the computer restarts. I have tried running vcleaner and also restarts just as it loads up (even if I rename it and access it through the command prompt - although it does seem to last a little longer before it does). I have also tried running MS Malicious Software Removal Tool but this barely starts before computer either restarts or the computer freezes for sometime then reboots. Basically if I try and do anything to fix it my computer reboots! - sometimes it just freezes.. particularly after having unchecked the auto restart (right click My Computer-Properties-Advanced-System Restore - as again found elsewhere).. either that or I get the BSOD.

Currently I have removed the internet connection cable from the back of the computer (have tried all my tinkering with it offline since thinking I might be infected) and am out of idea's.

Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:10 AM

Posted 30 September 2008 - 01:10 PM

Hello and welcome.please download and scan with. SmitFraudFix by S!Ri.
Post the scan report log in your next reply. The report can be found at the root of the system drive, usually at C:\rapport.txt .

NEXT run an MBAM scan

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 lowender

lowender
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 30 September 2008 - 01:40 PM

hey, thank you for the response.

I cannot seem to connect to the net. The computer boots up, I log in, and then try and open either firefox or IE and then the computer freezes. Have tried four times now. Two of which Zonealarm popped up with a warning along the lines of..

Webproxy.exe is trying to connect to the internet

The first time I said no and the computer shortly rebooted, the second I said yes and the computer froze (going into classic style taskbar before it did so).

Should I be turning AVG or Zonealarm off first?

Thanks

#4 lowender

lowender
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 30 September 2008 - 04:12 PM

I've just had a Blue Screen Stop Message which reads..

c000021a 0xc0000005 (0x00000000 0x00000000) fatal system error

I've done some digging but not gettting very far.

If anybody could help I'd be very grateful..

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:10 AM

Posted 30 September 2008 - 06:53 PM

You cannot boot the PC at all now? I believe this is now both a malware and hardware(probably driver) issue. I would recommend a reinstall of the OPerating system.. It will get rid of both matters.


You will need to ask these questions in the XP forum for more details.
How to reinstall and/or the ERROR message
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 lowender

lowender
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 October 2008 - 07:59 AM

yes I can still boot the machine up in normal mode but within a short time it restarts. but it will boot no problem (just won't boot at all in safe mode)

what would be the chances of moving the infected hard drive to a slave position, having a new drive with a fresh operating system, and recouping my files before a reinstall?

Would this work?

As ever i have a lot of stuff I could do without losing!

Thanks

#7 lowender

lowender
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 October 2008 - 12:06 PM

A friend suggested that I turn off system restore points.
It took me a few goes as the computer keeps restarting but managed to do it.
Now my BSOD's read as follows

0x000000B4 (0x8396C148, 0x83931000, 0x83930000, 0x00050000)
The Video Driver Failed to Initialize

the suggestion msn help and support is make an adjustment in device manager but I can't keep the computer running long enough to do this as it always reboots before I can. Alternatively msn h&s suggests you can change the setting in bios. An IO setting changing it from 03BC to 378.. but mine is already on 378.

The help file says..

This error occurs in VGA mode but not in Safe Mode. The parallel port driver does not load in Safe Mode but it does in VGA mode.

..but my problem is that my computer will not start in safe mode. everytime I select this the computer runs lines (for example Windows/system32/<filename>) but seems to get stuck on one called

agpCPQ.sys

then reboots.

So as oppose to the above mine will start in normal mode (but then freeze and reboot after a short time, but WILL NOT start in safe mode).

Please help!!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:10 AM

Posted 01 October 2008 - 01:00 PM

Would be handy to have even an infected REstore point to fall back on than none at all.
can you posiibly complte a malware scan so we can also tell if that is /Is not a problem.Let me know..as I will move thos topic where better brains on hardware will get to see it and provide the needed assisstance.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 lowender

lowender
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 01 October 2008 - 03:27 PM

thanks again for the reply.

unfortunately the computer won't stay alive long enough to run a scan. i have tried using an assortment of scanning software (malbytes, vcleaner, superantispyware etc.) but those that require installation can't install in the time it takes the computer to reboot and those that don't (i.e. vcleaner) get part way through a scan only for the computer to restart (or go to blue screen).

with regards the above message about the video driver failed to initialize i think i have onboard graphics as the agp (brown) slot has no card in it

thanks for your continued assistance

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:10 AM

Posted 01 October 2008 - 03:38 PM

I am going to move this to Internal hardware as we need an idea of how to check those errors......

Edit" you're welcome

Edited by boopme, 01 October 2008 - 03:39 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 hamluis

hamluis

    Moderator


  • Moderator
  • 55,406 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:10 AM

Posted 01 October 2008 - 05:40 PM

Well...the first step:

0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED

This occurs when Windows switches into kernel mode and a user-mode subsystem, such as Winlogon or the Client Server Runtime Subsystem (CSRSS), is compromised. Security can no longer be guaranteed. Because Win XP canít run without Winlogon or CSRSS, this is one of the few situations where the failure of a user-mode service can cause the system to stop responding. This Stop message also can occur as a result of malware infestation or when the computer is restarted after a system administrator has modified permissions so that the SYSTEM account no longer has adequate permissions to access system files and folders.

My contribution :thumbsup:, I have not seen any article or web post that really has a handle on how to fix...although there are a number of "snakeoil" vendors purporting to know the way.

Louis

#12 mikep77

mikep77

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 14 November 2008 - 05:40 AM

The last 2 computers I've worked on infected with Smitfraud/Zlob/AntiVirusXP2009 have resulted in a c000021a error

After several hours of attempting to get it working, here is my solution, which worked both times. There may be an easier solution, but this worked for me. I too havent found any information how to solve this.

1. Boot from the Ultimate Boot CD
2. Open C:\windows\system32, sort by date modified, and delete the random filename items and ones that look suspicious. (if you are unsure, google the filename to see if its legit) Usually these files will be dated on or around the date of infection - and later.
3. Open up Regedit (remote) and navigate to HKLM\software\microsoft\windows NT\winlogon\notify and you'll see entries made my the infection (look for the odd random filenames)
4. Navigate to HKLM\software\microsoft\windows\currentversion\Run and delete the entries that are malicious
5. Use EzPCFix (located in Anti-Spyware tools) and scan the registry items, BHOs and Winlogon areas. Delete entries and file associations.
6. Perform a REPAIR installation of your OS (in my cases XP)


I have found that if you just do step 6 and not any regedits it will still BSOD upon completion.

Hope this helps anybody.

{PLEASE NOTE warning in next response}..Mod edit by boopme

Edited by boopme, 14 November 2008 - 03:49 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:10 AM

Posted 14 November 2008 - 03:48 PM

WARNING: the above topic requires Editing the registry. An Improper action here can render your PC inoperable. Prior to editing the registry You should Back It Up.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 mikep77

mikep77

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 14 November 2008 - 06:22 PM

WARNING: the above topic requires Editing the registry. An Improper action here can render your PC inoperable. Prior to editing the registry You should Back It Up.

Backup Your Registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.


Good precautionary measure but if the computer will not boot in safe or normal mode how can you run that program?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users