Downloader Zlob.hh help please

The last three times I have rebooted my PC, running XP Home + SP2 + automatic critical updates, Ewido has displayed the message:

"File: ld19CC.tmp
Path: C:\WINDOWS\sysem32
Infection: Downloader. Zlob.hh"

and each time I let Ewido "remove" it, which it obviously doesn't.

Can someone help me to remove it please?

 

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

http://www.majorgeeks.com/images/grenade.gif When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

 

Thank you bigarrick.

Okay, I followed the steps in READ & RUN ME FIRST .....

In Safe Mode .....

MS Windows Malicious Software Removal Tool didn't report anything.

Ad-Aware SE found 2 items (5 MRU, 2 tracking cookies). Removed.

Spybot found Vcodec, in windows\system32\ncompat.tlb. Removed.

MS Antispyware found Zlob.hh. Removed.

Ran MS Antispyware again. Clean.

Couldn't connect to Internet in safe mode so rebooted to normal mode.

Bit Defender found nothing.

Panda Active Scan Pro reported three items, see log. (Leaktest is Gibson's, from GRC.com)

HJT log attached.

 

Update Ewido, run a full scan and attach the log so I can see what's being detected.

 

Ok, here's the log.

 

Please see the below thread on how to run WinPfind and attach the log. Also attach a fresh HJT log.

• Running WinPfind by OldTimer

 

These are the two requested log files.

 

Are you familiar with the CodeStuff Starter ??

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Your logs are fairly clean, are you still getting the detection? Also you need to run CCleaner to cleanup the junk/temp files.

 

Ok bj, I made that addition to the registry.

No, I've never heard of CodeStuff Starter.

And no, I haven't seen anything nasty detected recently.

 

Have HJT fix the below entry..

O4 - Startup: CodeStuff Starter.lnk = C:\Program Files\CodeStuff\Starter\Starter.exe

After you complete the above, reboot to Safe Mode and delete the folder..

C:\Program Files\CodeStuff\

Once you complete this post, reboot back to normal windows and let me know how things are running.

 

Ok, I just did that.

I remembered that Code Stuff was a program which lists start up programs but I hardly ever used it anyway.

I've not run any scans yet but will let you know if anything gets detected when I have run the various programs.

Thank you.

 

Okay!

 

I have now run Spybot, Ad-Aware, MS AntiSpyware Beta 1, AVG Free, ewido anti-malware and Xoftspy, non of which revealed anything suspicious.
I then ran PestPatrol which discovered a key logger. I let the program delete the two entries - see attached log.

I tried to run ActiveScan Pro but for some reason it isn't acepting my name/password. As soon as Panda sort that out I shall run that again too.

 

That looks like a false positive, with PP this is a common problem.

 

Hmmm, maybe. But unless or until I get some convincing assurance that it is a false alarm the damned thing doesn't get reinstalled!

I have just despatched PestPatrol's findings to the software's author.

 

Did you install this game? Do you play this game?

Flight Simulator 9

 

Yes, and yes.

 

Since I had been having problems with it I uninstalled then reinstalled Flight Simulator a little earlier this evening. I haven't had time to check it out properly yet.

But something else has cropped up too.

I have on my desktop shortcuts to a few URLs. When I clicked on any of them earlier, my default browser, IE6, didn't open up, Firefox did. It reported that it couldn't open Yahoo Mail for instance.

I uninstalled Firefox.

Clicking on any of the shortcuts then opened up MS's "Open With" window. I told it to open with IE and clicked the box to always open this sort of file with it. It doesn't. It still presents the Open With window.

I feel there is (still) something amiss on my system. I ran HJT and will attach its file.

Can you see or suggest anything?

 

Your log is clean, I recommend posting your other issue in the Software Forum. Those guys can help you get that fixed up.

 

Ok bj, and many thanks for your help.

 

Your Welcome!