Dowloader.zlob.aty

Hi there geeks,

I got infected by downloader.zlob.aty. I followed most of the sticky thread and also part of djbouti's thread. But that does not seem to be the right one because I cannot find any of the registry values in the HJT log mentioned there.

Could you please help me !
I'll attach the logs I made during the last few days.

 

More logs

 

And some more

 

Welcome to MajorGeeks.com!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

Hi shadow,

I guess I earned your reply, sorry for not being clear and wasting your time.
I'll attch my obeservations and the logs you requested.

Symptoms: When using google search and following one of the links that are the result of the search my browser gets redirected to several sites which most of the time “kellysearch” is the first one. Thereby pointing to non search related items not suitable for children.
NORTON did not find anything infected !!
Furthermore notepad does not work anymore, therefore when anything was ment to be saved by using notepad I used WORD and saved it as a txt-file.

0 - Did not find any programs that should not be there. I did uninstall the AVG spyware scanner since that might be a double virus scanner together with Norton.
I did set the normal startup mode (was already there) and did a reboot

1 – House cleaning
a. I checked the Norton quarantine, it was empty. However I did not find the NPROTECT folder using explorer. The link in the sticky thread did not help finding it.
b. I ran Ccleaner for all of the normal accounts present on this computer. I’ll do the administrator later on when changing to SAFE MODE.
2 – Hidden files – was already enabled
3 – See the first item, done.
4 – Done, Counterspy still there from previous scan.
5 – SAFE MODE started and network cable unplugged.
Ran Ccleaner for the administrator account.
Spybot did not find any viruses, only disabled Windows securitycenter which is how I set it up together with Norton.
The bitdefender scan did not give me the option “save report” so I made a copy in WORD and saved it as a TXT file.
I did run runkeys and shownew as directed in the sticky thread.
I did rename HJT to the suggested name.

 

And the other requested logs.

I hope you cab help me now,

Thanks,

Spirit28

 

Using Add or Remove Programs in the Control Panel; uninstall the following:

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Follow the directions for:
- Smitfraud, SpySheriff, SpyAxe & PSGuard Removal
- WareOut Removal

REBOOT

Post a fresh HijackThis log. HijackThis logs need to be from Normal Mode

 

I followed all the instructions except for copying the Fixreg.reg file since notepad does not work at my computer currently. I used the Visual C++ editor.

For the smitfraud removal I did not find any of the mentioned items mentioned in the thread, and I still get redirected to other websites than mentioned in links of the goolge search results.

 

I did not ask for an ActiveScan log.

I still need the logs from FixWareout and a HijackThis log.

 

The request for the active scan log was in the thread of Smitfraud etc. that's why I sent it.

The Fixwareout program does not work on my computer. I can download and run it, but no reboots take place. After approving twice to continue the program just disappears. Also, no report is present.
Therefore I did not proceed with the next step Network connections of fixwareout.

I ran HJT again, the log is attached.

 

Download
- Pocket Killbox
- ExplorerXP

OK, let's start with cleaning up some left over processes and services from Anti-Virus packages you removed.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CA License Client or CA_LIC_CLNT (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

CA License Client or CA_LIC_CLNT (Whichever you found above)

Repeat the process for the following Services:

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Click on the "Back" Button

Click the 'Scan' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Using Sophos Anti-Rootkit

Post the following logs:
1. Sophos Anti-RootKit log
2. ShowNew
3. GetRunKey
4. HijackThis

 

Back again,

Services clean-up: Although in the services.msc display it said CA License Client I had to delete the service CA_LIC_CLNT, that also applied for the other stuff.
After the doing the services part for CA_LIC_SRVR the computer rebooted that may have been cuased by the fact that I clicked <apply> instead of <OK>.
I could not find the mentioned directories in HJT for the CA software.
Same applied for the Killproces but the avast directory was still there which was removed.

With Pocket Killbox I did not get the PendingFileRenameOperations warning and did reboot out of itself.

ExplorerXP did not work in safemode, so I switched to normal mode and tried it there. Did not work either. I deleted the CA directories from the normal explorer, could not find the Avast directory.

I'll attach the new logs.

 

And the HJT log

 

Sorry, sorry, sorry,
Reading is a great gift although you have to use it when something is displayed in front of you instead of just pressing any key when being directed to at the end of the text.

FixWareOut wanted to be supplied with the BFU program and I skipped that part! SORRY.

Now Fixwareout works and I continued with the rest of your advice. There were adresses in the DNS server which were removed by obtaining the DNS server automatically.

I did not get the redirect now in my browser and notepad suddenly works again. It seems to work again but being cautious I won't say it is finished.
Last night I ran HITMAN pro, which found more infections next to downloader.zlob.aty.
Since the report is in dutch it won't be much help to you but the summary at the end says the following items have been found by spyware-doctor.

Trojan.Popuper
Trojan.Downloader.Ruins
Trojan.DNS Changer
SexCam


I'll post a new HJT log, thanks for your help sofar.

 

Your HijackThis log shows both NOD32 and Norton AV are installed and providing resident protection. Pick one uninstall the other. Having more than 1 anti-virus program installed on your computer will create system conflicts.

Run FixWareout again. Your HijackTHis log still shows the Wareout DNS entries.

Post a fresh HijackThis lg and the FixWareout log.

 

OK,

I removed NOD32.
I ran fiwareout again. Although it did not find anything apparently there was a program KDMCH.EXE in one of the logs of the virusscsanners I used.

I'll attach the new logs, thanks again for your help.

 

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

Now attach new logs from:

• GetRunKey
• ShowNew
• HJT

 

Ok,

I have done the first part, did not take that long to process.
Should I do this for all the user accounts or in safe mode in the administrator acount because I only see the current logged in account int the report?

 

Complete the second part. Yes, run this on all user accounts.

 

I completed the second part for my own account.
My computer did not restart of its own so I rebooted myself to safe mode.
During the second aprt in safe mode I got messages of Counter Spy with question to allow or block some stuff. I wrote one down.
Question: Would you like to change the %system root%\system32\blank.htm to c:\windows\ssyetem32\blank.htm ?
I blocked them all, was that alright ?
Furthermore I thought I read somewhere that applications are not started in safe mode how come counterspy is started ? I saw one process WRSSSDK that I did not recognise, is that counter spy ?

In the first reponse it said it could not delete the file ~DF.... twice because it was in use by another process.

Can I do step 1 for the other user accounts in safe mode? That saves a lot of start and reboot time. I'll rename the rapport to admin, anne, caro and erik (now you know the whole family).

 

Uninstall CounterSpy we're are done with that anyway.

WRSSSDK belongs to SpySweeper.

~DF.... in the TEMP directory are created by Windows. The ones created today can't be deleted as they are in use by the OS.

Just run part 1 of the fix on the other use accounts and post the logs.

This isn't a typo c:\windows\ssyetem32\blank.htm

 

OK,

I did part 2 for the other accounts anyway, your post was a bit later than I started.

The warning I sent you DID contain a typo it is SYSTEM32.

In all accounts kdmch was cleaned !

I'll send you the logs.

 

And the next bunch

 

And the next one

 

And the logs form Getrunkey, Shownew and HJT

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Run FixWareout again.

Post the following logs:
1. FixWareout log
2. ShowNew
3. GetRunKey
4. HijackThis

 

OK,

Changed the registry entry as directed.
And deleted the lines stated with HJT.
Ran Pocket Killbox and did get an PendingFileRenameOperations message.
Had to reboot myself, first went into normal mode because I was too late and changed back to safe mode again.
Deleted WPDNSE could not find CustomB.

Attached you will find the logs requested.
Thanks again for all your help!

 

And the HJT log.
Can not post the FixWareOut log because the response I get is:

FixWareOut1.txt:
You have already attached this file in thread : Dowloader.zlob.aty

I tried renaming it, but that did not help!

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

That's great, however I still get warnings about trojan.DNS changer and trojan.popuper in Spyware doctor.
I do not have any problems with redirections or pop-ups.
Are they bogus warnings or are they real ?
Should I get rid of them ?

Many thanks for your great help !

 

I apologize from not answering before now.

Post the Spyware Doctor log; so, I can see exactly what is is reporting.

 

No problem, as said before I do not have any problems anymore however Spyware doctor does give me these warnings.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

That should take care of the Spyware Doctor alerts.

 

Did exactly as you said, but there are two items left which can be viewed in the attachment.

Again, many thanks for your help.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

That should take care of it.