Need Help to remove LowZones

Norton AV alert window pops up and informs detection of Trojan.Zowzones. The alert window contains three pieces of info:
Object Name: C:\WINDOWS\TEMP\TMP317.TMP
Virus Name: Trojan.LowZones
Action Taken: The file was automatically deleted.

Problem:
* Norton's AV alert windows keeps popping up.
* The malware keeps generating files as TMP***.TMP, where *** is any combination of a hex number.
* And I cannot run anything else, including implementing the README, since it's hogging all resources.

Tried:
* Boothed in safe mode.
* Ran Norton AV, but it did not find any virus or trojans in safe mode.
* I deleted the last TMP***.TMP, but it just came back.

Any suggestions on how I can deactivate the process, download and run the programs in README, etc.

Many Thanks.

 

Welcome to MajorGeeks.com, please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

In Addition follow the directions for the SpywareQuake & SpyFalcon Removal Procedure

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis
• Log from SmitRem
  

 

Hi and thanks for your assistance.

I ran the required steps in the Sticky thread READ & RUN ME FIRST Before Asking for Support..

The log files that you requested are attached.

Please note the following:

• After downloading and updating all the tools listed, I was able to shut down the computer.
• Had to reboot in normal mode to do some configs. as per instructions. Noticed that Norton AV was not detecting the malware anymore.
• Shut down again and rebooted in safe mode to start implementing the steps.
• Was able to run CCleaner, Ad-Aware SE, SpyBot - S&S (including Immunize and SDHelper function), and MS Windows Defender in Safe Mode with Networking Support.
• None of these detected anything.
• Was able to run Bitdefender and Panda ActiveScan within Safe Mode.
• Both Bitdefender and Panda ActiveScan detected some malware, which should be listed in their respective logs.
• Rebooted in normal mode to get the HJT log and to download and extract smitRem.exe and rebooted to safe mode to run the RunThis.bat file.

Hope the chronology helps, and I hope that the system is clean now.

Look forward to your response.

Many thanks!

PS: System allows me to attached max. 3 files. The smitReg log will follow next.

 

Here is the smitReg log. Thx again.

 

Empty the Norton Antivirus Quarantine Folder
Empty the Recycle Bin

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://www.java.com/en/download/manual.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Windows Messeger is running in the background on this computer, and represents a security risk. Disable Windows Messenger by running Shoot The Messenger. If you are using this as your IM client then replace it with MSN Messenger.

Do you know what this belongs to?
O4 - HKLM\..\Run: [QBCD Autorun] E:\autorun.exe restart TIMER_SEQUENCE first

Download
- ExplorerXP

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Reboot

Post a fresh HijackThis log.

How is your computer running?

 

Hi and thanks again for your help.

The computer is already running much better and much faster again.

I have implemented the last steps that you asked me to follow:

• Uninstalled previous Java versions (I only found 1).
• Installed the latest Java version 1.5.0_07 and verified at the Java manual download site.
• Installed and ran Shoot The Messenger. Note: Shoot The Messenger did not disable Windows Messenger, which is still running. When I checked on the author's website, I noticed that he is referring to Windows Messenger Service. According to him Windows Messenger Service is not the same thing as Windows Messenger. Please let me know if there is a different tool to remove WM, as I am not using it anyway.
• Installed ExplorerXP and used it to delete c:\windows\downloaded program files\f3initialsetup.1.0.8.inf

I have no idea what this is:
O4 - HKLM\..\Run: [QBCD Autorun] E:\autorun.exe restart TIMER_SEQUENCE first
E:\ refers to my CD-RW drive (hope this helps). This registry entry does not appear on my laptop. I wonder if QB stands for Quick Books. I would prefer to remove this entry, if it does not cause harm.

Attached you will find the latest HJT log.

Many thanks again and all the best.

 

You can remove this line:
O4 - HKLM\..\Run: [QBCD Autorun] E:\autorun.exe restart TIMER_SEQUENCE first

Windows Messenger and Windows Messenger Service are related. Windows Messenger Service must be loaded and started in order for Windows Messeneger to run.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

OK great. Many thanks again for your help.

I am going to run all the README FIRST... sticky on my notebook now to clean this as well. It suddenly started "beeping" as if there is something causing an error. Very strange.

Thanks again!!!

 

You're welcome and start a new thread for your Notebook.