Zlop detected

It's Zlob not Zlop. And yes you should have looked at the Special Removal procedure since it is mentioned.

First start out by fixing all thos junk O18 lines in your HJT log from that stupid Logitech Desktop Messenger. That will make your log smaller and save me the trouble of fixing them later. I even recommend uninstalling that piece of junk. Most people don't use it anyway and it just clutters up your registry and HJT logs with unnnecessary garbage.


I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

Now attach new logs from:

• GetRunKey
• ShowNew
• HJT

How are things working now?

 

Check your settings. Under Program Control do you have Autolock enabled. This is not malware. If necessary, uninstall, reboot and reinstall.

That's due to removing your Zlob infection.

You should not be using MSconfig that way anyway. It is only meant to be used for temporary debugging and using it like you were for long term can result in a variety of issues and problems with uninstalling applications and all kinds of junk can be left behind making cleanup difficult. It even cause problems like seen in your log where you have things trying to load multiple times. Like these:

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE


Uninstall things you don't need.
Configure program that you do need but don't want to load at startup in their own settings. If they don't provide those setting, delete the registry key loading them at startup using HJT or similar.

I'll give you some pointers at the end of this message.

Not as far as I have ever seen. It is basically adware in my book. Here is a blurb about it:

Not anymore! Are you still having problems.


Pointers about Startups!

1. Uninstall unnecessary items:
   • example we are finished with CounterSpy
   • Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
     • D:\Documents and Settings\All Users\Application Data\Sunbelt Software
     • D:\Program Files\Sunbelt Software
   • Also you should have uninstall all of the below in step 6 of the READ ME
     • J2SE Runtime Environment 5.0 Update 10
     • J2SE Runtime Environment 5.0 Update 11
     • J2SE Runtime Environment 5.0 Update 6
     • J2SE Runtime Environment 5.0 Update 8
     • J2SE Runtime Environment 5.0 Update 9
   • And then you should have installed the current version of Sun Java from: Sun Java Runtime Environment
   • Also consider if Logitech Desktop Messenger can be uninstalled. You don't really need it.
   • Check to see if you have other stuff you can uninstall if you never use it.
2. Things that are never needed at startup: here are a few in this category
   • O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
   • O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" <-- this number will change when you install the new version
   • O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
   • O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
3. Things you may or may not need: Only you can answer that. Research them and figure out what to do with them
   O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE​
   
   
   O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"​
   
   
   O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE​
   
   
   O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe​
   
   
   O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe​
   
   
   O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"​
   
   
   O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE"​
   
   
   O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe​
   
   
   O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE​
   
   
   O4 - HKLM\..\Run: [Launch LGDCore] "D:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE​
   
   
   O4 - HKLM\..\Run: [Launch LCDMon] "D:\Program Files\Logitech\G-series Software\LCDMon.exe"​
   
   
   O4 - HKCU\..\Run: [ATI Remote Control] D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe​
   
   
   O4 - HKCU\..\Run: [Fraps] H:\FRAPS\FRAPS.EXE​
   
   
   O4 - HKCU\..\Run: [CTSyncU.exe] "D:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"​
   
   
   O4 - HKCU\..\Run: [ResChanger 2005] D:\Program Files\ResChanger 2005\ResChanger2005.exe​
   
   
   O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe​

 

Norton can often be just as bad as malware to get removed. Here is what I would suggest:

• Reboot just before doing the below but DO NOT run anything other than these steps
• shut down all other applications (every thing in the tray ...etc) including antispyware tools
• goto add/remove programs and uninstall all Symantec and Norton software
• reboot and take a quick peak at your HJT log for anything left over from Symantec or Norton.
• if there are left overs run this: Norton Removal Tool (SymNRT)
• then reboot and check another HJT log. If you still have things from Symantec or Norton you may need help from us to remove because often times they are services which must be stopped and disabled before they can be deleted.

I suggest you use AVG Free which is one of the tools give in the How to protect link further down in this message.

• Does it happen in safe mode?
• Does it happen after uninstalling Norton?
• How often does it happen?
• Does it happen when not connected to the internet?
• Is anything else in particular running when it happens?

It could just be some periodic activity from a scanning tool, or from one of the other many items you are running.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Re: ZloB detected

No! They are not missing. It is a HijackThis bug and the they have nothing to do with Norton anyway.

You can always just unplug the cable which means you are not connected. That is an easy enough thing to do.

Let's run a couple other tools before moving on to those final steps I gave you. Since it does not show in safe mode, it could just be due to some application you run in Normal boot mode but not in safe mode. However, I want to dig in a little deeper to check for possible rootkits.

Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

And as a backup to the above run this Using Sophos Anti-Rootkit and attach the requested log.



Also run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

After clicking Fix, exit HJT

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

 

Well there are no rootkits and there is no obvious malware based on your logs. It would appear that your problem is not malware but rather just something you are running.

And it does not occur in safe mode either based on a previous message.

Thus I suggest you use MSconfig for its intended debugging purpose. Use it to disable all startups and selectively enable them one at time with a reboot after each one (yes it is tedious - a faster method may be the powers of 2 method, i.e, do half at a time and each time no problem is found half the group is eliminated....etc). See if you can isolate the problem this way. If the problem is not in the Startups tab area of MSconfig, you will need to try the same thing with the Services tab of MSconfig although you may want to start by hiding all Microsoft services to save yourself some time.

 

Okay! So then I assume you knew what I meant by using MSconfig to debug this?

 

OK! Good luck and let me know your test results!

 

Re: An Update

Have you stopped all processes from loading at startup?

What about Services?