trojan zlob (I think!)

Discussion in 'Malware Help (A Specialist Will Reply)' started by mastermiaow, Mar 5, 2007.

  1. mastermiaow

    mastermiaow Private First Class

    OK I have spent the whole morning and previous few days trying to sort the problem out and I will try to be as succint as possible.
    I first experienced problems with website which I use for distance learning. I could log into the homepage but not access links. I resolved this by dowloading firefox. However I noticed that the computer was running slow and seemed to be taking up a lot of resources. Although I have AVG anti virus and AVG anti spyware, they did not pick up anything when I ran the scan. Also I noticed AVG anti spyware slowed the computer right down when I ran it so I decided to delete it and try something else. I ran system restore and was not allowed to use restore points of a week or two weeks before. I ran bitdefender and it picked up I had trojan zlob but it could not fix it. I did a google search for zlob and downloaded something called spyhunter which scanned my computer but then demanded money for removal of all the things it found. I thought I would try the manual removal instructions and went into the registry and deleted:
    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe

    I then decided that it would be better to follow the Hijack This Malware Removal Guide:
    1. I used Add Remove programs to uninstall anything that I didn't recognise
    2. I change msconfig start up to normal, I disabled system restore
    3. I downloaded CC cleaner
    4. I confirmed that I have one anti-virus scanner (AVG) and one firewall (windows XP)
    5. I downloaded getrunkey and shownew
    6. I checked settings on spybot
    7. I downloaded counterspy
    8. I started in safemode and ran CC cleaner, spybot search and destroy (this pointed to Spyhunter as malware) and then Counter spy which found Zlob and other things which I quarantined.
    9. I was unable to connect to the internet in safe mode with networking support so I had to boot normally and run bitdefender which showed Zlob still on the machine and it was unable to fix it.
    10. I was unable to run panda scan - i got to the final window when the scan is supposed to start but nothing happened and in bottom left corner it said "error on page"
    11. I opened getrunkey.bat but the notepad window didn't come up instead c:\windows\system32\cmd.exe when I looked in C i could see about twenty new text files with name like xrmkey and xlmshell
    12. I ran shownew.bat and that was fine
    13. I then ran counterspy again and it picked up another trojan zlob as well "masters paradise"
    In the midst of this I have downloaded software from www.canon.com for a scanner (Canon N656U) and I cannot install it. I am told that install shield failed to initialise and that the error report is in file c:\\windows\TEMP\6df9_appcompat.txt but that file does not exist.
    My IBM R50e laptop still seems to be running very slow and getting overloaded on resources.
    I am attaching in this post a)counterspy txt (this is from the second scan), bit defender txt and hijackthis txt.
     

    Attached Files:

    mastermiaow, Mar 5, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not edit the registry on your own. That above key that you deleted is a required key for your system and MUST NOT be deleted. If you delete things that load your Windows Shell (the explorer.exe file is your shell), you will have no Desktop when you boot up. That means no icons, no Start button....etc.

    You must make sure that you followed ALL the directions for installed GetRunKey and ShowNew and that you extracted the files from the ZIP file. Also run the .bat files only from a Windows Explorer session and not from inside the ZIP file. Also check for the errors indicated on the download pages.

    Please attach the runkeys.txt and newfiles.txt logs from GetRunKey and ShowNew respectively. Those other files you mentioned with the x's in them are just temp files that should go away after GetRunKey terminates properly. If it does not run properly or does not terminate properly, those files will still be seen afterwards which is immediately an indication that it is not running as desired.

    Do you still have any Symantec software installed? I see you are running AVG Antivirus but I also see a service for Symantec's Security Center.
     
    chaslang, Mar 5, 2007
    #2
  3. mastermiaow

    mastermiaow Private First Class

    Oh dear! :eek: Well I have gone back into registry and got as far as Winlogon but could not see any explorer.exe. Although I have had no trouble starting up my computer and icons and Start button are still there. I checked the recycle bin and there is nothing in there but then I did use CC cleaner yesterday...

    I checked in add remove programs and symantec is not there. In search there were some symantec files and folders there which I have deleted. There are still two folders there which couldn't be deleted.

    I have now managed to get runkeys.txt and attach both.

    I ran spysweeper and got worried that it found more trojans zlobs which had not been detected by counterspy. I bought spysweeper so it could quarantine them. I am not sure if it is good to run spysweeper and counterspy together.

    I still not cannot use install shield for the scanner software I downloaded.

    Many thanks for your help
     

    Attached Files:

    mastermiaow, Mar 5, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This should fix it.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    I'm not sure what you are referring to. Are you talking about malware scanning software? Or are you taking about software for a hardware device used to scan documents? If the later, this may not be a malware issue.


    Did you actually run the CCleaner program and did you allow it to clean your temp folders? I see a lot of files in your temp folder that should have been deleted it CCleaner was run.

    Did you install and do you use the CyberSitter program?

    Since you have a paid version of Spy Sweeper now, you do not want CounterSpy installed.

    Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it anyway! Then delete the below two folders that may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Now let's remove the Symantec service
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to SymWMI Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteSymWSC into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT and reboot if it tells you it needs to.
    After reboot, see if you can now delete the below folder:
    c:\Program Files\Common Files\Symantec Shared

    Uninstall the below old versions of software:
    IBM 32-bit Runtime Environment for Java 2, v1.4.1
    IBM 32-bit Runtime Environment for Java 2, v1.4.1
    J2SE Runtime Environment 5.0 Update 6
    Norton WMI Update <--- this is also from Symantec but I'm not sure if it shows in Add/Remove programs. Let me know if you do not see it.

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Attach new logs from ShowNew and HJT now.

    Are you still having problems?
     
    chaslang, Mar 5, 2007
    #4
  5. mastermiaow

    mastermiaow Private First Class

    Thanks Chas

    You certainly know your onions :) I have done everything that you suggested have tried to attach the files. I have just initiated a panda scan and it started fine. I can't say yet for certain that everything is working for instance right now CPU usage is at max with panda scan running, firefox, ie and outlook express and explorer. I am not sure if that is normal or not confused I am also currently unable to toggle between the three pages on firefox nor is the manage attachments button responding. I have switched off the pandascan and have now attached files after posting and then coming back in for editing.
    The problem I was having is with a hardware device that I bought without software, I have downloaded drivers and software .exe files from Canon but the software is not installing properly. I will try again tonight and if it doesn't work will post to relevant Hijack This forum.

    Many thanks again
     

    Attached Files:

    Last edited: Mar 6, 2007
    mastermiaow, Mar 6, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure what all of the above is trying to tell me???? Are you having a problem or not? You should not be running ANYTHING other than Panda while running the scan and only the brower window for Panda should be open and nothing else. (not Outlook Express either).

    It has nothing to do with malware or a Hijack. It has to do with Hardware. Thus a post about this belongs in the Hardware Forum.

    You did not answer my question about CyberSitter .

    Also you did not install the new Sun Java version.
     
    chaslang, Mar 6, 2007
    #6
  7. mastermiaow

    mastermiaow Private First Class

    I had no idea that I could not other programs whilst my computer was being scanned. rolleyes There is nothing on the panda website that says this. But that would explain my computer running slow at that time. Should I not run anything when I am doing an offline virus or spyware scan either?
    Otherwise things are working well.
    I forgot the sun java version which I have just now installed. Yes I have and bought installed the cybersitter program.
     
    mastermiaow, Mar 6, 2007
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The more you have runnning, the slower all the scans will run. And the more things you have running/open the more things that could interfere with the ability of the scanners to fix problems. For example, if you have an application open (like a browser) and there is an infection in a file that the browser is currently using, a scanner will not be able to fix the problem.

    If you read some other threads where HijackThis is being used, we always say to shutdown ALL browsers before running HijackThis especially before trying to fix anything. The above is the reason why.

    Also, remember the READ ME stating to run scans in safe mode, part of the reason is that less applications and services load up in safe mode, thus there is less that could get in the way of getting things fixed.
     
    chaslang, Mar 6, 2007
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds