IE Critical Trojan.Zlob-X.a

Thank you for running this forum. In 12 years this is the first time I had to actually ask for help. I have a new Vista Home pc which I am lost about all it's security features and did have a difficult time running many of the steps as although I am an administrator it appears many of the things couldn't load or fix correctly. I didn't find anything using Windows defender of malicious spyware removal or Spybot that I thought were useful. I use Mcafee and have a firewall and I think I got this on Wednesday when my son was searching Oprah Winfrey eye color on the web and he yelled that something started downloading and I stopped it, now I get

"Critical System Warning" Your system is probably infected with the latest version of Trojan.Zlob-X.a Full system optimization will greatly increase your computers performance and prevent data loss. Click OK to download antispyware. software recomended.

It used to take over my internet explorer searches and make the first outcomes to be some sex website or a site that starts downloading immediately which I just shut down.
I did put the website on my IE Restrictes site list although I can't figure out now what the site was. It didn't do anything.
I now after trying all these fixes get the following when I first open IE:
Cannot find'::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}'.Make sure the path or Internet address is correct. I close that and IE still opens although it almost appears that it opens a ghostly version that disappers with another version in front (I may never have noticed this before and it may just be normal). No longer does it go to the sex site.


The AVG showed some cookies and then I have Hijack this which I don't understand so here I am.

I appreciate any assistance. Thanks in advance.

 

here is a mglogs.zip I now realize I didn't run as administraror the first time.

 

Much thanks for your quick response. Sorry for being lost and not getting it right. It was a lot to take in as I'm not experienced with Vista and had many an issue trying to download and save with administrator errors

I did disable UAC by clicking on disable uac.reg and I got some reply about something with keys were added to the registry. I will try it again and also run what you said to and will post it shortly.

Could it have anything to do with that I had to save the files to my username and then copied the file to the root or program files depending on the instructions. Although I'm the administrator it doesn't let me run to c:\, I had even tried fixing this and got very confused on security/admin issues.


[

 

I did what you said when I ran the first thing during the scan it said Access is denied to C:\windows\System32\powervideo.dll

I definitely did DisableUAC.reg so I'm not sure if that has any impact.

Here is the new log too.

I didn't get the Critical system error when I went into IE but it came back when I tried to upload the Getlogs.bat. I also didn't get the error message about the file being missing when I went into IE. You've already helped me out now I pray you can help me fix this once and for all.

Much thanks.

 

I didn't know if you needed this from the run of IEdef. I notice on the bottom something about chinese p2p???

 

When I run getrunkey it says is not recognized as an internal or external command operable program or batch file.

Yes PowerVideo.dll is there. should I delete it in dos?

 

I also just got back the message when i opened IE about "Cannot find '::{2559 ....

 

it's working but has pause with "adding: runkeys.txt (160 bytes security) <deflated 80%>"

 

It's still paused but here is the notepad file it created. I still haven't gotten the chance to try and delete or rename that file.

 

We posted at the same time, did you see the log?

 

Do I stop this run or just shut the window as I can't type in it.

 

Here it is.

 

When I tried to delete or rename powervideo.dll I got:
"The process cannot access the file because it's being used by another process.

 

Thanks I've been up for 25 hours and the kids will be up in about 3 hours. I appreciate all the help and I hope I can get through this by tomorrow. Good Night.

 

The avenger is only for XP and 2000 and I'm on vista. Any other solution?

Thanks I hope you got some sleep.

 

1A. Part of my vista issue and not being able to run appears to be issues with administrator options. i have to be able to right click and choose run as administrator or many file in the root don't work correctly. When i download files that are supposed to save to anything other than users/maggs I need to save them in my profile and then move them to C:\ manually as they won't save in download mode.

1.There is no file on my computer called CFScript.jpg.

2. Since i was so sleepy last night I tried to redo some of the things (I think I couldn't run the one as I was doing it in windows vs. running it in the cmd as administrator mode) and am attaching new logs.

2.I did try to drag ComboFix-do.txt over ComboFixe.exe and got a blue screen that said "out of memory Freeware implementation of REG.Exe has stopped working."

In the other screen it said "Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt." Note spelt vs. spelled

3.I was able to deletePowerVideo.dll

4. when I tried to delete temp these 2 didn't delete:
sqlite_k4ezxH1CIlaTVPa
(first character was a squiggly which I can't find on keyboard) then it was DFCA26.tmp

5. I'm still getting cannot fine '::{2559AlF4-2lD7-llDr-BMF-00...... (I can't read my own handwriting)


Thanks again. I got only 2.5 hours of sleep. I see you've been extremely busy today and it appears many people have same issue. I guess this stuff runs in spurts and is meant to mess with holiday spirits?

 

here's the mglogs.zip too

 

first time logs didn't attach. Here is runkeys.txt, newfiles.txt and procdll.txt (I was able to run GetLogs.bat in dos mode as administrator option only)

 

I don't get the error if I use IE from my desktop but, if I run IE from my Windows Menu then I get the following message in an Windows Internet Explorer box (it has a red circle with a white x in it):

Cannot find '::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}'.Make sure the path or Internet address is correct. OK

I hit the close box and not OK. IE then opens normally. I'm worried to hit OK.

I don't see anything else wrong at this point. Is there something wrong with the IE option through windows start?

Aside from that I was trying to understand hijackthis log and wanted to confirm if it was safe to delete the following:
O1 - Hosts: ::1 localhost

O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

010 - ALL OF THESE:
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll

O13 - Gopher Prefix:


Additional questions: What do I neet to do to restore my secure status? should I delete all those files I downloaded?

Any other clean up I should do?

Yours appreciatively,
maglib

 

I also just found out that I can't turn windows security Center Service on. When I try to turn on now, I get the same red circle with white x "the security center service can't be started."

 

Another issue when I shutdown and turned the pc back on it went into the default non-password everyone else sign on and there is an internet explorer error message (yellow triangle with black exclamation point):
"The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive? Yes/No".

I decided to go to another pc and haven't answered it.

 

Cannot find '::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}'.Make sure the path or Internet address is correct. OK

I hit the close box and not OK. IE then opens normally. I'm worried to hit OK.

I still get this even in safe mode when I go through the start/IE menu but not when I go through the desktop IE. I have reset my IE with no change.

Other issues from last 2 still exist too like not being able to get Security Center to work.

Thanks.

 

I uninstalled both spybot and AVG and rebooted with no luck. The icon disappeared on the taskbar.

I ran services.msc and double clicked on Security Center and got the message that :

"Configuration Manager: The specified device instance handle does not correspond to a present device."


Then the Log On (I changed this in a prior run which had previously selected this account with stars for password) is now Local System account and the Allow service to interact with desktop is not checked.

The general tab i switched from Automatic (delayed start) to automatic and attempted to start and got the error message:
Windows could not start the Security Center service on Local Computer.
Error 1079:The account specified for this service is different from the account specified for other services running in the same process.


Vista is way too confusing and I have no clue what the above means. Do you?


On other notes, to get rid of the IE message I cheated and just deleted the old one off the start menu and pinned the desktop shortcut IE to the start menu and now no more problem. No clue why but, I guess it won't matter.


Thanks. Do you take contributions via paypal?

 

I got the security center to work but, I'm not 100% sure how. I ran Services.msc and started switching some of the things to start and then it ran. If I've got it right, it was either User Profile Service or Windows Installer and if I look at it after reboot User Profile Service is started although Windows Installer is not. It was not Remote Registry nor SecurityCenter that I'm positive of as I tried after doing both of those. Any one else having this problem I would suggest having them start some of these functions although maybe changing Log On for both RemoteRegistry and SecurityCenter to NT AUTHORITY\LocalService and deleting the passowords also helped? I'm not sure.

At this point my Services.msc looks like this (I'm also attaching a copy I hope):

RemoteRegistry is automatic and its Log On is Local Service (I deleted both passwords and they automatically were filled in).

SecurityCenter still says when I double click it the following error:
"Configuration Manager: The specified device instance handle does not correspond to a present device."
it looks like: automatic and started with Log On set to Local Service and same password delete that was auto filled in.


Any idea if this is good or not or what the SecurityCenter error means?

 

There are 1000's of messages relating to servicing and many other things as well, looks like this pc has had issues since before I even received it. Is there an easier way to send you the details or am I giving too much. This is only 2 of thousands of warning, error and critical messages. I pray this is normal......

Here is a recent ones under servicing:
Log Name: System
Source: Microsoft-Windows-Servicing
Date: 11/29/2007 9:05:43 AM
Event ID: 4376
Task Category: None
Level: Warning
Keywords: Classic
User: MAGGSVISTAPC\Maggs
Computer: homeoffice-pc
Description:
Servicing has required reboot to complete the operation of setting package KB941649_1(Update) into Install Requested(Install Requested) state
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Servicing" Guid="{bd12f3b8-fc40-4a61-a307-b7a013a069c1}" EventSourceName="Microsoft-Windows-Servicing" />
<EventID Qualifiers="32768">4376</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-11-29T14:05:43.000Z" />
<EventRecordID>21340</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>homeoffice-pc</Computer>
<Security UserID="S-1-5-21-3888322268-3302397270-4173792592-1000" />
</System>
<UserData>
<CbsPackageChangeState xmlns="http://manifests.microsoft.com/win/2004/08/windows/setup_provider">
<PackageIdentifier>KB941649_1</PackageIdentifier>
<ReleaseType>Update</ReleaseType>
<PackageState>Install Requested</PackageState>
<PackageAssembly>Package_1_for_KB941649~31bf3856ad364e35~x86~~6.0.2.1</PackageAssembly>
<Operation>Installed</Operation>
<OperationCompleted>True</OperationCompleted>
<ErrorCode>0x0</ErrorCode>
<RebootOption>True</RebootOption>
<MissingElements>
</MissingElements>
</CbsPackageChangeState>
</UserData>
</Event>


Here is one under Service Control Manager eventlog Provider:
Log Name: System
Source: Service Control Manager
Date: 12/3/2007 10:42:23 PM
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MaggsVistaPC
Description:
The Security Center service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908D1-A6D7-4695-8E1E-26931D2012F4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-12-04T03:42:23.000Z" />
<EventRecordID>23423</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>MaggsVistaPC</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">Security Center</Data>
<Data Name="param2">%%1079</Data>
</EventData>
</Event>

 

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>sc qc wscsvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: wscsvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Center
DEPENDENCIES : RpcSs
: winmgmt
SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Windows\system32>

 

Here is the log attached I think.

Sadly it was too big to attach. Here is just Error for Service Control Manager and Servicing with no details:

 

I also found the following in control panel/System and Maintenance/Problem Reports and Solutions/View Problem History (looks like Combofix has some issues in compatability but, I can't figure out how to copy this report nor print it other than screen shots to onenote and saving. It's shortcut is Windows\System32\wercon.exe


I just learned how to zip a file so I attached it and the error report.
Sorry about being somewhat clueless.