MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 11-07-06, 13:30
jasears jasears is offline
Private E-2
 
Join Date: Nov 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy ZLOB Trojan

Hello MG Community,

I, too, have been attacked by a version of the ZLOB Trojan. My homepage has been hijacked (to iewarning.com ), where I'm prompted to buy some bogus anti-spyware software, e.g., Virus Burster and Malware Wipe.

I've managed to get rid of the annoying "Critical System Error!" balloon--spelled "baloon"--message.

I've joined your ranks and am following your recommended cleaning & scanning procedures.

I'll post another message with my scans attached.

Thanks in advance for all your help.

Jeff

Last edited by DavidGP; 11-07-06 at 13:58.. Reason: edited live hijacker URL to save anyone potentially using that bogus soft
Reply With Quote
Sponsored links
  #2  
Old 11-07-06, 23:40
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: ZLOB Trojan

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
  • Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis
  • Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..
In your next post, please make sure you attach the following logs and that you have run these scans in the following order:
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis
NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
Reply With Quote
  #3  
Old 11-08-06, 14:44
jasears jasears is offline
Private E-2
 
Join Date: Nov 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default ZLOB Trojan Recovery #1

Hello,

Thanks for the swift reply to my initial post.

In summary, I have spyware on my PC that hijacks my browser (IE6) to this site: iewarning.com, where I'm prompted to purchase bugus software e.g., Malware Wipe. By the way I'm running Windows XP PRO 2002 SP2.

I've followed your standard malware removal procedure, steps 0-7. It went well and I encountered only a few issues/problems.

In step 4, I couldn't find the MS Windows Malicious Software Tool but did run the MS Windows Defender scan.

In step 6A, I couldn't run the Bitdefender & Panda Active scans in the Safe Mode since I couldn't access the Internet; I ran the scans in the Normal mode.

In step 6C, I could not take other courses of action, such such accessing "Special Removal Procedures." I can't navigate the MG support forum. (I get a message about the board moving to another site and try to clear the DNS cache. However, I can't flush the DNS cache from the command prompt using the ipconfig /flushdns command--it won't execute.

My first three scans are attached for your information.

I appreciate your help.

Jeff
Attached Files
File Type: txt bdscan.txt (32.1 KB, 0 views)
File Type: txt Activescan.txt (1.4 KB, 1 views)
File Type: txt runkeys.txt (16.2 KB, 0 views)

Last edited by DavidGP; 11-08-06 at 14:51.. Reason: edite hijack url so others may not be infected
Reply With Quote
  #4  
Old 11-08-06, 14:47
jasears jasears is offline
Private E-2
 
Join Date: Nov 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default ZLOB Trojan #2

Hello,

I'm attaching my other two scans for your review.

Thanks.

Jeff
Attached Files
File Type: txt newfiles.txt (25.7 KB, 0 views)
File Type: log hijackthis.log (10.4 KB, 2 views)
Reply With Quote
  #5  
Old 11-08-06, 21:56
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: ZLOB Trojan

Please look in Add/Remove Programs for the following and uninstall them if found:

VidCodecs

SpyNoMore

Viewpoint

(Anything Viewpoint)

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


isamonitor.exe

ViewMgr.exe

isamini.exe

CDAC11BA.EXE


Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Program Files\VidCodecs\isaddon.dll

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Spyware Removal Tools\CCleaner\ccleaner.exe" /AUTO

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EX

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\VidCodecs Delete this whole folder if it exist!

C:\Program Files\Viewpoint Delete this whole folder if it exist!

C:\Program Files\SpyNoMore Delete this whole folder if it exist!

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

Next, run CCleaner to clean up cookies and temp files.

NOW:
Click Start > Run > type services.msc and Click OK

Locate C-DillaCdaC11BA - Macrovision and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:
  • Disable and Re-enable System Restore

  • Turn OFF System Restore to flush any bad Restore Points.

  • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also please attach a fresh HJT log.
Reply With Quote
Sponsored links
  #6  
Old 11-09-06, 00:35
jasears jasears is offline
Private E-2
 
Join Date: Nov 2006
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: ZLOB Trojan

Hello Friend,

It appears that the air marshall has shot dead the hijacker!

I can now go directly to my home page.

Much thanks for your help.

I'm attaching my HJT scan for your review. One concern is the stubborness of the "VidCodec" BHO.

What security software do you recommend?

Jeff
Attached Files
File Type: log hijackthis.log (9.5 KB, 3 views)
Reply With Quote
  #7  
Old 11-09-06, 05:32
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: ZLOB Trojan

Have HJT fix the entry below. Once you complete this your log will be clean.

Quote:
O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Program Files\VidCodecs\isaddon.dll (file missing)
Are you having any current problems?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:41.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger