ZLOB Trojan

Hello MG Community,

I, too, have been attacked by a version of the ZLOB Trojan. My homepage has been hijacked (to iewarning.com ), where I'm prompted to buy some bogus anti-spyware software, e.g., Virus Burster and Malware Wipe.

I've managed to get rid of the annoying "Critical System Error!" balloon--spelled "baloon"--message.

I've joined your ranks and am following your recommended cleaning & scanning procedures.

I'll post another message with my scans attached.

Thanks in advance for all your help.

Jeff

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

In your next post, please make sure you attach the following logs and that you have run these scans in the following order:

• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

ZLOB Trojan Recovery #1

Hello,

Thanks for the swift reply to my initial post.

In summary, I have spyware on my PC that hijacks my browser (IE6) to this site: iewarning.com, where I'm prompted to purchase bugus software e.g., Malware Wipe. By the way I'm running Windows XP PRO 2002 SP2.

I've followed your standard malware removal procedure, steps 0-7. It went well and I encountered only a few issues/problems.

In step 4, I couldn't find the MS Windows Malicious Software Tool but did run the MS Windows Defender scan.

In step 6A, I couldn't run the Bitdefender & Panda Active scans in the Safe Mode since I couldn't access the Internet; I ran the scans in the Normal mode.

In step 6C, I could not take other courses of action, such such accessing "Special Removal Procedures." I can't navigate the MG support forum. (I get a message about the board moving to another site and try to clear the DNS cache. However, I can't flush the DNS cache from the command prompt using the ipconfig /flushdns command--it won't execute.

My first three scans are attached for your information.

I appreciate your help.

Jeff

 

ZLOB Trojan #2

Hello,

I'm attaching my other two scans for your review.

Thanks.

Jeff

 

Please look in Add/Remove Programs for the following and uninstall them if found:

VidCodecs

SpyNoMore

Viewpoint
(Anything Viewpoint)

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

isamonitor.exe

ViewMgr.exe

isamini.exe

CDAC11BA.EXE

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - C:\Program Files\VidCodecs\isaddon.dll

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Spyware Removal Tools\CCleaner\ccleaner.exe" /AUTO

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EX

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\VidCodecs ← Delete this whole folder if it exist!

C:\Program Files\Viewpoint ← Delete this whole folder if it exist!

C:\Program Files\SpyNoMore ← Delete this whole folder if it exist!

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

Next, run CCleaner to clean up cookies and temp files.

NOW:
Click Start > Run > type services.msc and Click OK

Locate C-DillaCdaC11BA - Macrovision and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also please attach a fresh HJT log.

 

Hello Friend,

It appears that the air marshall has shot dead the hijacker!

I can now go directly to my home page.

Much thanks for your help.

I'm attaching my HJT scan for your review. One concern is the stubborness of the "VidCodec" BHO.

What security software do you recommend?

Jeff

 

Have HJT fix the entry below. Once you complete this your log will be clean.

Are you having any current problems?