Zlob.downloader, Zlob.AR, Zlob is a Slob!

Hi folks!

My mother's neighbor has a 15 yr old son who repeatedly messes up his computer with tons of viruses. The child keeps getting shuffled about to his mother's home (god help her computer!) and then the father asks me to help fix his computer. The first time (5 months ago?) I just reformatted the entire thing.

This time I came here. You guys have helped me before when some virus got in my machine. Anyway.....

I ran the Read Me & the XP Cleaning Processes & have attached what logs I *could* get below. I ran into some difficulties. ComboFix.exe will not run on the machine (it is a Dell Dimension 3000 running WinXp sp2...with only 256 mb of RAM I might add)

ComboFix repeatedly gives me the "Incompatible OS" message in 17 different languages. It does this both in Safe Mode & out of Safe Mode.

MGTools only flashes a DOS window after I extract it. The window flashes for a second and disappears.

After seeing what SD Search & Destroy reported (Zlob.Downloader, etc), I came here & looked for a removal tool, found the Smithfraudfix.cmb thread and tried to run that. Same deal, DOS window flashes for a second and is gone. Spybot finds these 3 things, but even when I let it run on startup, it cannot remove them.

Same with MBAM, I just get stuck in the same cycle of scanning and attempting to remove & rebooting. ARGH!

One other thing, the AVG Free Virus Vault was so full of 92kb files that I had to entirely uninstall the program and then manually delete the 20,000 files in the Vault to get these logs down to right size. Not to worry though, this rig is off the internet for now, in my home next to my non-sick computer. Same thing with the system32 folder, it had 35,000 .tmp files in it all 92kb. It was threatening to have me scanning into next Christmas. Zlob is a nasty, nasty bugger!!

So anyway, I will attach the SAS, MBAM & HJT logs below, but that is all I could get. I can't get any further without your help, and your efforts are greatly appreciated.

PS. I tried to manually delete those registry keys but the machine tells me it experienced an error in doing so. Ya! The error is Zlob doesn't wanna go away! Thanks for your help.

 

Thanks for your reply, but like I said in my original post from 2 days ago,

MGTools would not run. and yes it is on the root of c:/

ComboFix would also not run.

I followed all the directions meticulously.

And I already tried the TDSSserv Non-Plug & Play Driver Disable fix for this, but there was no TDSSserv present in View Hidden Devices.

 

Wow I'm really so sorry here Tim, I forgot to explain that it was GetLOGS.bat that blinked & disappeared when I clicked on it.

I downloaded MGTools.exe to the C://

it created the MGTools folder. When I go into the MGTools folder, in Safe Mode (yes Safe Mode) open that folder & then double click GetLOGS.bat, a DOS window appears for a split second and disappears.


I know you all volunteer for free, but that is also what I'm doing here.

Next time I'll tell the guy where to go with his poisonous computer.

Death to MySpace.

 

I am in Safe Mode & I double click on C:/MGTools/GetLogs.bat and nothing happens.

I ran all the steps on the Using MGTools thread to address error messages even though I don't get any error messages.

Oh, wait one second.

 

ahh forget that machine, I'm reformatting

 

Oh Tim I didnt see your reply before I already started the reformat. Yeah....kinda why I posted those other logs.

Ah well.

 

OK, so here i am on the newly reformatted machine. Thank you Tim, very much for trying to help me!! I am taking this machine back to my mom's neighbor tomorrow and recommending he never, ever let his son on it ever, ever again.

 

oh that's what he HAD - and his Dad swore up and down the kid wasn't even going to come home and use the machine anymore. But I created his a passworded account with NO admin & passworded the Dad's account. And he still mucked it all up in like 5 days!

I'll tell ya though, this is seriously the best birth control I have ever encountered!

I will set your thread as his home page :-D

 

oh yeah good idea, I am on it!