Trojan.downloader zlob.dj - last one?

Hi all,

I've followed the instructions to clean my computer from the "Read this..." thread and have done everything but the Hijack this portion.

All the spyware removal programs and scans seem to look clean with the exception of the above trojan found by BDscan.

Anyone have a removal tool for this last trojan on my computer? Or should i just go ahead and do the Hijack this log and post it, etc.?

Thanks.
steven.

 

NOD32 question

One other question:

I'm using the NOD32 paid software and also use spysweeper at startup (i also occasionally manually use spybot and adaware for further cleaning, but shouldn't NOD32 in particular have been able to catch the viruses and spyware that i had on my computer?

I thought NOD was highly recommended as one of the best ( i know nothing is bullet proof).

Thanks.

stevo

 

If you have completed the READ ME, please attach all logs to your next post.

 

Here are the logs...

Yes, completed all steps in the "read before" thread. Everything seemed to work fine. even got to do the panda/bdscans in safe mode.

Please review and comment. Much appreicated.

other logs in next post.

stevo

 

Here are the other files:

thanks.

steve

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: (no name) - {4734044c-7427-43d8-adbe-df942e52bef2} - (no file)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Documents and Settings\Steven Rood\Favorites\GAMBLING

C:\Documents and Settings\Steven Rood\Favorites\HEALTH

C:\WINDOWS\system32\swsc.exe

C:\WINDOWS\system32\Process.exe

Next, run CCleaner to clean up cookies and temp files.

Final Step...

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Once you complete this post, reboot and let me know how things are running.

 

Will do. Thanks for the guidance.

Re: letting you know how things are running:

Things have previously been working just fine. No popups, etc. I just saw that the scans had located a problem.

thanks.
steve

 

After you complete my previous post, reboot a few times and see if any problems occur.

 

I am attaching the latest HJT log, the BDscan log and the Activescan log (latter done in safe mode). I am not noticing any issues with the computer, however, the active and bdscan still show suspicious/malware in their logs.

One other thing i noticed is, during the activescan, at one point a little window opens up asking me to create a new profile (for outlook express i think). I just click the cancel button and the scan continues. I just mention this because the profile box is not mentioned in any of the tutorial messages.

Thanks.

steve

 

Delete this file below, then run CCleaner.
C:\Documents and Settings\Steven Rood\Desktop\SmitfraudFix.zip

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Your logs are clean, they show nothing After you complete this post reboot once more and let me know how things are running.

 

Ok. Here is the latest Hijack log.

Can you advise why the bdscan and activescan logs said there were suspicious files or malware? Were these just false positives?

Thanks.

steve

 

The BD log just showed an infection in the System Restore folder meaning there was an infected file in one of your system restore points. If you completed my previous post this was removed.

The Panda detected the Smitfraud Fix you have downloaded, the reason is because the processes it uses to remove the items it does acts simliar to some malware infections. This is nothing to worry about, just remove the utility because it's no longer needed.

 

Thanks for the response.

So, the last HJT log looks clean now? I did follow your instructions in the previous post.

Would also love to better understand why or how NOD32 and my spysweeper weren't able to prevent the infections from getting to my HD?

As mentioned before, I keep spysweeper in my systray with NOD32 and then occasionally run Spybot and lavasoft for double checking. (These three spyware programs, seemed to find and remove most of the spyware on my computer, or at least they said 'no spyware found'.

thanks,
steve

 

Yes, it looks good.

It's hard to say really, do you have the latest versions with all updates?

 

Yes, absolutely. NOD32 updates every day (usually several times) and Spysweeper notifies me when an update is avail and i do that as soon as i'm notified.

I was just poking around the software update pages and looking at the NOD updates, i can see the Trojandownloaderzlob virus listed as on the viruses that its supposed to catch but didn't. Just an observation.

Lastly, is there a paypal/donation section somewhere on MajorGeeks? I appreciate the help and the team here has helped me once or twice before over the years. Just want to contribute to the cause.

stevo

 

It's hard to tell where it came in if all is updated. Anything is possible in today's malware world.

We did for a bit but we don't anymore. :\

 

Question:

Yesterday morning i sent a pdf to a client via email and within a minute or two, i got an email back with this response:

The message or an attachment did not reach the intended recipient(s).

Subject: Re: Encrypted Mail
From: stevo.rd@verizon.net
To: djl@cdog.com
Date: Sun, 12 Nov 2006 08:09:54 -0700

Reason: virus detected (W32/Netsky.P@mm (exact))
Action: strip

But the thing is, I didn't send this to that email address and i know the recipient received my file.

So, i am curious why i got this postmaster.cdog.com delivery notifcation and also why it thinks it had the netsky virus (we just cleaned my computer the day before).

Thanks.
steve

 

That doesn't sound too good, sounds as if you have a WORM. The first thing I would do is run the removal tools below.

Download each tool, physically disconnect from the internet, reboot into Safe Mode and run these tools.

Symantec NetSky Removal Tool

F-Secure NetSky Removal Tool

Let me know the results.

 

Hey there,

Ran both programs in safe mode with networking/internet off. Programs found no problems.

On a side note, i tried downloading za free to see if that would work better on my laptop. (the Paid pro version was hanging my programs.) After i installed the free version, i started having problems loading web pages. I could barely get MaJor Geeks to load in either firefox or IE6. I tried lowering the levels but still had issues. This morning i just uninstalled it and all is well again. I think i might try avg and see how that works.

steve

 

Weird, let's try one more scan.

Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there.

Note: They must be in the same directory for it to work properly!

Sysclean Package

Pattern.zip

After you complete the above, locate the file "lpt139.zip", right click to extract the contents to the same directory.

Once you complete the steps above, REBOOT INTO SAFE MODE!

Once in Safe Mode double click the file sysclean.com. When the system cleaner loads, click SCAN to start the scanner. After you complete the scan reboot and the Trend SysClean Log.

 

Ok. Finished the scans.

Here are the logs.

And just to clarify the earlier post:

I went to a web page, printed the page as a PDF and then sent that PDF to one of my clients. And the address it was sent to was not the one that i got returned in my email.

thanks.
steve

 

Well your logs are showing clean which is a good thing. I'm not sure exactly what's going on with the emails but something isn't right if you got that message about Netsky.

It's obvious you do not have this infection because two removal tool and a virus scan revealed that.

Is it still acting weird?

 

No, everything has been working fine (as far as i can tell), it was just that one time when i got that email back. I've been sending other attachments all yesterday with no issues.

Thanks.

steve

 

Okay, that's good!

If for some reason it starts acting up again or you get anymore message about Netsky or anything other mass mailing worm just let us know.