MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 03-23-06, 19:57
MelanieS MelanieS is offline
Private E-2
 
Join Date: Mar 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Trojan.Zlob.I and Download.Trojan

Hello and thanks if you can help me out!

After being informed by Norton Internet Security that I had these two viruses(which it could not remove) I proceeded with all of the instructions in the sticky note before posting this. I had some success with some of the programs, but when I rebooted in normal mode, I was told again by NIS that there is a Trojan on the machine. I'm attaching my logs.

THANKS!

Melanie
Attached Files
File Type: txt bdscan2.txt (17.3 KB, 5 views)
File Type: txt Activescan.txt (9.3 KB, 4 views)
File Type: log hijackthis.log (11.1 KB, 4 views)
Reply With Quote
Sponsored links
  #2  
Old 03-24-06, 00:42
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,687 Times in 4,146 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Welcome to Majorgeeks Melanie!

You have a few nasties hiding in the background. You need run a few more procedures before we can get started on manual cleaning.

Also answer a question: Is your SpySweeper version the free trial or did you buy it? If free, when did you install it?

Please run the below procedure and attach your smitfiles.txt log.

SpyFalcon Removal Procedure


Now run Windows Explorer and delete the below files. Let me know which one you find and do not find and whether you get them deleted or not:
C:\Documents and Settings\Melanie\Favorites\GAMBLING <--- the GAMBLING folder
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[1].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[2].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\JJEAXBLB\wdinit64[1].exe
C:\WINDOWS\SYSTEM32\dfrgsrv.exe
C:\WINDOWS\SYSTEM32\f3PSSavr.scr
C:\WINDOWS\SYSTEM32\ot.ico
C:\WINDOWS\system32\1024\ldB490.tmp
C:\WINDOWS\system32\1024\ld6548.tmp
C:\WINDOWS\system32\1024\ld13FD.tmp
C:\WINDOWS\system32\ginuerep.dll
C:\WINDOWS\Temp\win3.tmp.exe <--- in fact delete all files in this Temp folder (which includes the below)
C:\WINDOWS\Temp\win6.tmp.exe
C:\WINDOWS\Temp\win149.tmp.exe
C:\WINDOWS\Temp\win14C.tmp.exe
C:\WINDOWS\Temp\win14F.tmp.exe


The next file will require special steps from the command prompt to locate and delete it since Windows Explorer will not be able to see it.
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
  • Click Start, Run, and enter command in the box and click OK. This opens a command prompt windows.
  • Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Downloaded Program Files\
attrib -r -h -s f3initialsetup1.0.0.15.inf
del f3initialsetup1.0.0.15.inf
exit <--- this will close the command prompt window


After doing all of the above get a new PandaActiveScan log and attach it.
Also attach the smitfiles.txt log and a new HJT log.


__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 03-24-06 at 00:49..
Reply With Quote
  #3  
Old 03-24-06, 02:47
MelanieS MelanieS is offline
Private E-2
 
Join Date: Mar 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Re: Trojan.Zlob.I and Download.Trojan

THANK YOU!!!

While I was waiting for a response, I continued with the additional scans recommended in another document. I ran CC cleaner, ewido, a-squared and kaspersky in safe mode. I also downloaded Process Explorer and Killbox in prep but did not perform anything with them and will wait for instruction to do so.

SpySweeper is a purchased version, on this laptop since I purchased it in September. It is set to perform a scan upon boot.

BTW, I know the main infection occurred on March 21 as my son was home from school and downloaded some guitar tab software and who knows what else without my supervision…. Then the problems began.

Also want to note that my internet connection is wireless. When I run in safe mode, the connection is not made, but when I run in Normal mode, the connection is detected and established automatically. Let me know if this is a problem.


I ran the SpyFalcon fix as you stated.

When I rebooted in Normal mode, Slimshield icon and annoying warning about viruses popped up briefly at the bottom right, but then disappeared and has not come back while working.

These windows come up repeatedly as I work:

Norton Antivirus does not support the Repair feature. Please uninstall and reinstall.

Please wait while Windows configures Norton Antivirus.

Norton Antivirus has detected a virus on your computer.
Object Name C:\windows\system32\winccf32.dll
Virus Name Download.Trojan
Action Taken Unable to repair this file.
Action Taken Access to the file was denied.

Also an annoying popup window for Photo Shaman

Files deleted as noted:
C:\Documents and Settings\Melanie\Favorites\GAMBLING <--- the GAMBLING folder
I did not find this file. I believe one of the programs I ran in the interim spotted it and removed it.

C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[1].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[2].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\JJEAXBLB\wdinit64[1].exe
The Folder Content.IE5 is not there.

C:\WINDOWS\SYSTEM32\dfrgsrv.exe
I deleted it.

C:\WINDOWS\SYSTEM32\f3PSSavr.scr
Not found

C:\WINDOWS\SYSTEM32\ot.ico
Not Found

C:\WINDOWS\system32\1024\ldB490.tmp
C:\WINDOWS\system32\1024\ld6548.tmp
C:\WINDOWS\system32\1024\ld13FD.tmp
None of the three found

C:\WINDOWS\system32\ginuerep.dll
Not found

C:\WINDOWS\Temp\win3.tmp.exe <--- in fact delete all files in this Temp folder (which includes the below)
C:\WINDOWS\Temp\win6.tmp.exe
C:\WINDOWS\Temp\win149.tmp.exe
C:\WINDOWS\Temp\win14C.tmp.exe
C:\WINDOWS\Temp\win14F.tmp.exe
I deleted what I found, which was : T30DebugLog, win1.tmp, win3tmp.exe, win14.tmp.exe, win162.tmp

Then I emptied the Recycle Bin

Deleted as directed:
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf

I ran PandaActiveScan, log attached. DARN IT! That Slimshield icon came up again and stayed now. GRRRRR
Attached Files
File Type: txt Activescan.txt (3.6 KB, 1 views)
File Type: txt smitfiles.txt (3.2 KB, 1 views)
File Type: log hijackthis.log (11.7 KB, 1 views)
Reply With Quote
  #4  
Old 03-24-06, 02:53
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,687 Times in 4,146 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Quote:
Originally Posted by MelanieS
When I rebooted in
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[1].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[2].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\JJEAXBLB\wdinit64[1].exe
The Folder Content.IE5 is not there.
Yes it is there. See your new Panda log. You must make sure you have enable viewing of hidden & system files per the READ & RUN ME. The files are there as Panda indicates.

I will work up a procedure for you other issues tomorrow! Need to sleep now! Almost 4 am my time!

Is Ewido also purchased? Or is it the free trial?

Is the below something you installed:
O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter

Last edited by chaslang; 03-24-06 at 02:58..
Reply With Quote
  #5  
Old 03-24-06, 10:58
MelanieS MelanieS is offline
Private E-2
 
Join Date: Mar 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Hope you got some rest! I was up too late too with this. I really need to fix it as I am afraid to use the computer while it is infected...

Ewido is the free version.
Esnips is software we put on the computer which allows for remote archiving but I am totally fine with removing it.

I am totally baffled by the IE5 folder. There are NO folders in the Temporary Internet Files Folder, and I checked that the settings were still as they should be per the READ THIS FIRST instructions. They are. I see the hidden folders and files as faded icons, but that folder is not there. BUT, I ran ActiveScan yet again and it is picking it up. ??????:

I'm attaching that newest ActiveScan.

Also, when I booted this morning, the Slimshield did the same disappearing act, I'm getting the Trojan warnings from NIS, Windows Installer pops up when I try to open a word document... and several tmp files are attempting to access the internet and I choose not to allow it....

Thanks
Reply With Quote
Sponsored links
  #6  
Old 03-24-06, 11:04
MelanieS MelanieS is offline
Private E-2
 
Join Date: Mar 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

One more thing:

SpySweeper (purchased version)

Picks up the following:

Trojan agent winlogonhook (13 traces) Risk rating Very High
Trojan-downloader-aux (2 traces) Risk rating Very High

It allows me to remove them, but obviously it's only a temporary removal.

And, here's the attached Panda ActiveScan File.
Attached Files
File Type: txt Activescan2.txt (7.2 KB, 1 views)
Reply With Quote
  #7  
Old 03-25-06, 04:21
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,687 Times in 4,146 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Download and install this tool: ExplorerXP

Use it to look for those files you said you cannot find. Can you find them now?

Make sure all of the below are deleted. Some may come back because you still have more problems to fix.
C:\WINDOWS\SYSTEM32\dfrgsrv.exe
C:\WINDOWS\temp\win1B.tmp.exe
C:\WINDOWS\temp\win2ED.tmp.exe
C:\WINDOWS\temp\win412.tmp.exe
C:\WINDOWS\temp\win42C.tmp.exe
C:\WINDOWS\temp\win423.tmp.exe
C:\WINDOWS\temp\winE.tmp.exe
C:\WINDOWS\temp\win15F.tmp.exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\mullbin1[1].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[2].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\KG3MPVVA\wdinit64[1].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\JJEAXBLB\wdinit64[1].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\Y5MDM7OR\shpop[1].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\Y5MDM7OR\wdinit64[2].exe
C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\Y5MDM7OR\wdinit64[1].exe





After trying to use ExplorerXP (whether it works or not) please attach a new HijackThis log so we can work on the rest of your problems.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #8  
Old 03-25-06, 04:34
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,687 Times in 4,146 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Here are the next steps! Note there may be some files in the list below that you have already removed. That's okay! It does not hurt us to double check.

Start by downloading two tools we will need (I believe you said you downloaded them already)

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winccf32.dll once and then click the kill button. After you have killed all of the winccf32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of winccf32.dll and kill it.


Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll


Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.
Quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winccf32]

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\SYSTEM32\dfrgsrv.exe
C:\WINDOWS\temp\win1B.tmp.exe
C:\WINDOWS\temp\win2ED.tmp.exe
C:\WINDOWS\temp\win412.tmp.exe
C:\WINDOWS\temp\win42C.tmp.exe
C:\WINDOWS\temp\win423.tmp.exe
C:\WINDOWS\temp\winE.tmp.exe
C:\WINDOWS\temp\win15F.tmp.exe
C:\WINDOWS\SYSTEM32\winccf32.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot locate let's double check with Windows Explorer for the below and delete them if they still exist:
C:\WINDOWS\SYSTEM32\dfrgsrv.exe
C:\WINDOWS\temp\win1B.tmp.exe
C:\WINDOWS\temp\win2ED.tmp.exe
C:\WINDOWS\temp\win412.tmp.exe
C:\WINDOWS\temp\win42C.tmp.exe
C:\WINDOWS\temp\win423.tmp.exe
C:\WINDOWS\temp\winE.tmp.exe
C:\WINDOWS\temp\win15F.tmp.exe


Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #9  
Old 03-25-06, 09:10
MelanieS MelanieS is offline
Private E-2
 
Join Date: Mar 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

I'm going to begin this process. I can see the files with ExplorerXP! Do I delete them, or delete them permanently? Both options are offered.

Thanks
Reply With Quote
  #10  
Old 03-25-06, 12:29
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,687 Times in 4,146 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Quote:
Originally Posted by MelanieS
I'm going to begin this process. I can see the files with ExplorerXP! Do I delete them, or delete them permanently? Both options are offered.

Thanks
Since we do not want those files at all, delete them permanently to avoid having them go to the Recycle Bin. We would just have to empty the Recycle Bin afterwards but why bother.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 03-25-06, 13:37
MelanieS MelanieS is offline
Private E-2
 
Join Date: Mar 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Whew. I did as instructed. A few times during the process NIS told me I had the Download.Trojan virus again, but not since I rebooted and it looks like the Slimshield is gone.

Here's the HJ log
Attached Files
File Type: log hijackthis.log (11.2 KB, 1 views)
Reply With Quote
  #12  
Old 03-25-06, 13:41
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,687 Times in 4,146 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Okay just one left over to fix. Have HJT fix the below line and make sure it does not come back:

O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)


If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #13  
Old 03-25-06, 14:53
MelanieS MelanieS is offline
Private E-2
 
Join Date: Mar 2006
Posts: 26
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

I did as instructed. Looks good.

One last problem.

When I try to open an MSWord doc, a window pops up from Windows Installer "Preparing to Install"

Then Norton Antivirus window comes up, stating "Please whait while Windows configures Norton AntiVirus 2005."

Norton AntiVirus 2005 window comes up "Norton AntiVirus 2005 does not support the repair feature, please uninstall and reinstall."

Then MS Office window appears "THe command cannot be performed because a dialog box is open. Click it, and then close dialog boxes to continue."

When I close all of these windows, MSWord opens and all is well.

When I run NAV, it detects nothing.

SpySweeper is still finding a winlogonhook trojan.
Reply With Quote
  #14  
Old 03-26-06, 01:58
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,439
Thanks: 62
Thanked 7,687 Times in 4,146 Posts
Default Re: Trojan.Zlob.I and Download.Trojan

Not sure what to tell you about Windows trying to configure Norton. Perhaps it got corrupted from the malware. You may need to do what they say. Uninstall, reboot, reinstall. And I'm not sure why MS Office is getting involved in this.

Try running the below tool. It sometime fixes corrupted Windows Installer issues.

Windows Installer CleanUp Utility

We will have to run Spy Sweeper in a special mode to remove the winlogonhook problem.

Okay here is what I want you to do. Print or save these steps to a notepad file locally to refer to if necessary because ALL browsers (including this one) must be closed when you do the following.
  • Run Spy Sweeper but do not start a scan yet.
  • Close ALL browser sessions and exit any other programs that are running except SpySweeper (and notepad if you needed it).
  • Open Task Manager by pressing CTRL-SHIFT-ESC.
  • In Task Manager's Process list, locate explorer.exe. Right click on it and select Kill process tree. Do not be alarmed! This will make your Desktop with icons disappear. It is only temporary.
  • Now run a full scan with Spy Sweeper and save a new log.
  • Now in Task Manager click File, New Task (Run...) and enter explorer.exe and click OK. Your Desktop should come back
  • Now attach the new Spy Sweeper log here.
  • Now reboot and run a new Spy Sweeper scan and tell me if it still finds the problem (yes that is two scans with SpySweeper, one to hopefully fix, and one to make sure it fixed).
  • If it does still find a problem, continue with the below Ewido scan and attach the Ewido log: Running Ewido Anti-Malware
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 22:02.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright © MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger