Win32.Trojandownloader.Zlob help

Discussion in 'Malware Help (A Specialist Will Reply)' started by 2pro4show, Feb 2, 2008.

  1. 2pro4show

    2pro4show Private E-2

    My computer running Windows XP was starting to become rather slow so I downloaded Ad-Aware 2007 Free to see what was up. Results after the jump:

    http://i162.photobucket.com/albums/t247/_The_Cheese_/adaware.jpg

    When I press "Delete", the threats seem to be removed, but after another scan, they are still detected and still not removed. I've tried searching around and figuring out how to fix this myself but no luck. I then followed the instructions you outlined here, which I thought had done the trick, but apparently not. The malware itself isn't terrible from what I can tell but I'd like to get rid of it. It opens a pop-up to a different site when I start Internet Explorer, most of the time saying something like "Your computer has been infected (etc.), download this software to fix it!". Obviously I didn't install a thing since they are not legitimate at all. I even recently had it happen to me in Firefox for the first time.

    Please tell me exactly what to do and I'll follow. I sincerely thank you for any help you'll be able to give me.
     
    2pro4show, Feb 2, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    If your PC is running slow, you don't want to install Ad-Aware 2007 because it will just make it slower because it runs a resource hogging service all the time. Since the free Ad-Aware 2007 provides no protection and it is not really going to adequately help you fix many real malware issues, as you have seen, you should uninstall it.


    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, Feb 3, 2008
    #2
  3. 2pro4show

    2pro4show Private E-2

    First of all, thank you for the quick response.

    Ok. I uninstalled Ad-Aware and followed all the steps in the Read & Run Me. The only problem I encountered was after the AVG Scan. The scan was completed and I pressed "Apply all actions". AVG deleted the threats. Then when I went into the Reports tab, it said that no reports were available (the "Save report as" button was gray and unclickable) , yet I did make sure to check "Automatically generate reports" before the scan, and it was still checked when I looked at it afterwards. As a result I have no AVG scan report. The best I could do at that point was take a screenshot, though I doubt it will be of much use to you:

    http://i162.photobucket.com/albums/t247/_The_Cheese_/AVGscan.jpg

    As you can see, there are plenty of Tracker Cookies (all of them from my brothers, since I always delete my cookies after every Firefox session). It did, however, find that "Dropper.Agent.dgo" threat. The AVG description said that it takes harmless programs and runs harmful backdoor stuff without the user knowing - could this be was what opening those pop-ups in IE and Firefox? And if AVG deleted it, is it truly gone? I hope some of what I said could be of use, I'm just trying to provide as much information as possible to aid you.

    Attached are the successful reports of ComboFix and MGtools. I ran ComboFix first, then AVG (which seemed to delete what was detected), and then MGtools, in case the order in which I did it matters. I also have both the reports prior and after scans of SmitfraudFix, which I ran before making this thread to try to get rid of Zlob, in case you also want to take a look at that.

    Thank you again for all the help so far.
     

    Attached Files:

    2pro4show, Feb 3, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Cookies are not problems. Don't worry about them.

    The order in which they appear in the READ ME is the order in which they should be run. This applies to all steps/instructions that we give.

    Your Symantec/Norton Internet Security program has gotten infected and you will have to uninstall it now. After uninstalling it run the below tool:

    Norton Removal Tool (SymNRT)

    DO NOT reinstall Norton yet. We need to remove your infections first.

    Then reboot your PC and continue on with the below steps.

    Are the below 2 items from something you installed?
    O4 - HKLM\..\Run: [SharK] C:\WINDOWS:sharK3.com
    O4 - HKCU\..\Run: [sharK Server] C:\WINDOWS:sharK3.com



    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F3 - REG:win.ini: load=C:\WINDOWS\system32\jkklk.exe
    O2 - BHO: (no name) - {8F3F38C6-B850-4F92-B5B6-C413B3710060} - C:\WINDOWS\system32\jkklk.dll
    O2 - BHO: {6cd915a9-cc1f-f45b-ad64-9de444418159} - {95181444-4ed9-46da-b54f-f1cc9a519dc6} - C:\WINDOWS\system32\aysekmsb.dll
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\gzuiglkk.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [anti_virus] C:\WINDOWS\system32\halo.bat
    O4 - HKLM\..\Run: [a89463f8] rundll32.exe "C:\WINDOWS\system32\gpvxggjh.dll",b
    O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O20 - Winlogon Notify: gzuiglkk - gzuiglkk.dll (file missing)

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    RenV::
----a-w            21,488 2008-02-03 16:05:22  C:\Documents and Settings\Marc Landry\Local Settings\Application Data\Google\Update\1.0.103.0\GoogleUpdate .exe
----a-w            19,952 2008-02-02 20:40:29  C:\Documents and Settings\Marc Landry\Local Settings\Application Data\Google\Update\1.0.97.0\GoogleUpdate .exe
----a-w           685,336 2008-02-03 16:05:32  C:\Documents and Settings\Marc Landry\My Documents\TVUPlayer2.3.3.2beta\TVUPlayer\TVUPlayer .exe
----a-w           256,000 2008-01-30 16:48:34  C:\Documents and Settings\Philippe Landry\Start Menu\Programs\Startup\PowerReg Scheduler .exe
----a-w           339,968 2008-02-03 16:04:54  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           286,016 2008-02-03 16:06:45  C:\Program Files\BitTorrent_DNA\dna .exe
----a-w            36,040 2008-01-24 20:36:15  C:\Program Files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
----a-w           110,592 2008-02-03 16:04:45  C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
----a-w            53,408 2008-02-03 16:14:00  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            57,344 2008-02-03 16:04:51  C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol .exe
----a-w         1,103,480 2008-02-03 16:05:24  C:\Program Files\Download Manager\DLM .exe
----a-w            68,856 2008-02-03 03:16:31  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w         6,731,312 2008-02-03 04:05:26  C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas .exe
----a-w            49,152 2008-02-03 16:04:48  C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w           267,064 2008-02-03 16:04:58  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           144,784 2008-02-03 16:05:10  C:\Program Files\Java\jre1.6.0_04\bin\jusched .exe
----a-w           286,720 2008-02-02 05:14:15  C:\Program Files\QuickTime\qttask      .exe
----a-w           286,720 2008-02-03 16:05:17  C:\Program Files\QuickTime\qttask .exe
----a-w         4,109,824 2008-02-03 16:04:25  C:\Program Files\Windows Live\Messenger\msnmsgr         .exe
----a-w         4,109,824 2008-02-03 15:50:01  C:\Program Files\Windows Live\Messenger\msnmsgr        .exe
----a-w         4,109,824 2008-02-03 03:49:52  C:\Program Files\Windows Live\Messenger\msnmsgr       .exe
----a-w         4,109,824 2008-02-02 23:23:37  C:\Program Files\Windows Live\Messenger\msnmsgr      .exe
----a-w         4,109,824 2008-02-02 20:39:25  C:\Program Files\Windows Live\Messenger\msnmsgr     .exe
----a-w         4,109,824 2008-02-02 15:33:07  C:\Program Files\Windows Live\Messenger\msnmsgr    .exe
----a-w         4,109,824 2008-02-02 05:13:31  C:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w         4,109,824 2008-02-01 14:53:00  C:\Program Files\Windows Live\Messenger\msnmsgr  .exe
----a-w         4,109,824 2008-01-31 15:36:23  C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w            90,112 2008-02-03 16:04:46  C:\WINDOWS\UpdReg .EXE
----a-w            64,512 2008-02-02 23:24:19  C:\WINDOWS\ehome\ehtray .exe
----a-w           158,208 2008-02-03 16:01:45  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
 
Driver::
jfdcd
 
File::
C:\DOCUME~1\RENELA~1\LOCALS~1\Temp\jfdcd.sys
C:\WINDOWS\system32\aysekmsb.dll
C:\WINDOWS\system32\gpvxggjh.dll
C:\WINDOWS\system32\gzuiglkk.dll
C:\WINDOWS\system32\gzuiglkk.dllbox
C:\WINDOWS\system32\xfdxcfej.dll
C:\WINDOWS\system32\jkklk.exe
C:\WINDOWS\system32\jkklk.dll
C:\WINDOWS\system32\jpg.dll
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\RCX16E.tmp
C:\WINDOWS\000001_.tmp
C:\WINDOWS\65F1CF6331E0450B96F34A88BE7361A6.TMP
C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\system32\hjggxvpg.ini
C:\WINDOWS\system32\klkkj.ini
C:\WINDOWS\system32\klkkj.ini2
C:\Documents and Settings\Marc Landry\Local Settings\Temp\l0lpwsls.exe
C:\Documents and Settings\Marc Landry\Local Settings\Temp\qdnw8q7r.exe
C:\Documents and Settings\Marc Landry\Application Data\kernel33.dll
C:\Documents and Settings\Marc Landry\Application Data\syspnetworkZ4.txt
 
Folder::
C:\Program Files\Common Files\Symantec Shared
 
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5fd71622-b309-11dc-920f-00111187ad0b}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gzuiglkk]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
"AVG Anti-Spyware Guard"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Feb 5, 2008
    chaslang, Feb 4, 2008
    #4
  5. 2pro4show

    2pro4show Private E-2

    I uninstalled Norton through Add/Remove Programs and successfully ran the Norton Removal Tool.

    No, they are not. I've only recently seen them appear in the Processes tab of Windows Task Manager when I open it, I can't remember ever knowingly installing something related to them.

    I wanted to check with you before continuing beyond this point. The similar fonts and colors represent the closest similar item I could find in HijackThis. For the ones that I did not change, I was able to find an exact replica.

    O2 - BHO: (no name) - {0CAE470C-CB5C-4BBD-B527-A2A9D327F2CB} - C:\WINDOWS\system32\jkklk.dll
    I did not find anything with "aysekmsb.dll" at the end. The closest result I could find is pictured in this link.
    O4 - HKLM\..\Run: [a89463f8] rundll32.exe "C:\WINDOWS\system32\xfdxcfej.dll",b

    I've also screencapped the first part of the results in case something catches your eye.
     
    2pro4show, Feb 4, 2008
    #5
  6. 2pro4show

    2pro4show Private E-2

    (I would've edited the last post, but the Edit button seems to disappear after a certain amount of time...)

    I'd also like to say that I just scanned my MSN Messenger executable (msnmsgr.exe) with AVG Anti-Spyware and it reportedly found Dropper.Agent.dgo in it. It's in Quarantine right now.
     
    2pro4show, Feb 4, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then add those lines to the analyse.exe (hijackThis) fix.


    This kind of malware will rename itself during power down/up or reboots. This is the same problem with a new file name. The key is the [a89463f8] text. Fix this line too.

    Just continue on thru all steps.
     
    chaslang, Feb 5, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Take a look at the ComboFix CFScript.txt fix I posted. This was in the fix.
     
    chaslang, Feb 5, 2008
    #8
  9. 2pro4show

    2pro4show Private E-2

    Attached are the requested logs. I just want to clarify: if all went well, was that the final removal step needed to get rid of the malware on my computer?

    Thank you very much for all the help.

    No pop-ups or anything out of the ordinary so far. I'll post again in a few days to see if anything happens until then.
     

    Attached Files:

    2pro4show, Feb 5, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No all did not go well. You are still infected and we need to do some additional fixes.

    Why are you allowing the below to run all the time on your PC?? Are you always uploading to YouTube every minute of the day and everytime you use your PC??? If not, then this should not be running.
    C:\Documents and Settings\Marc Landry\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe


    Continue by downloading a tool we will need

    - Process Explorer

    Extract it to its own folder somewhere that you will be able to locate it later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    fhmiqkhq.dll
    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    fhmiqkhq.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Now just exit Process Explorer.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fhmiqkhq.dll
    O20 - Winlogon Notify: fhmiqkhq - C:\WINDOWS\SYSTEM32\fhmiqkhq.dll

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
kernel33
fhmiqkhq
 
File::
C:\WINDOWS\system32\fhmiqkhq.dll
C:\WINDOWS\system32\fhmiqkhq.dllbox
C:\WINDOWS\system32\lpaikwod.dll
C:\Documents and Settings\Philippe Landry\Application Data\kernel33.dll
C:\Documents and Settings\Patrick Landry\Application Data\kernel33.dll
 
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fhmiqkhq]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 6, 2008
    #10
  11. 2pro4show

    2pro4show Private E-2

    I don't. I end the process on startup. In fact, I don't need it anymore, I'll just uninstall it.

    I did not find any of those .dll files in Process Explorer, just to let you know.

    Here are the logs. Thanks again for the help.
     

    Attached Files:

    2pro4show, Feb 6, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay but I still saw it in your last logs.

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Feb 7, 2008
    #12
  13. 2pro4show

    2pro4show Private E-2

    I followed all instructions and now have the recommended anti-virus/firewall/spyware software installed and running.

    Thank you very, very much for all the help.
     
    2pro4show, Feb 7, 2008
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Feb 7, 2008
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds