Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

trojandownloader.zlob will NOT remove 1

Status
Not open for further replies.
Designware

Designware

Technical User
Sep 24, 2002
202
I have a trojan on a PC that will not remove. Adaware finds it and calls it trojandownloader.zlob . It thinks it removes it, but it is back IMMEDIATELY.

The malware puts two icons on the desktop, entitled "Online Security Guide" and "Live Saftey Center", both of which leads to a web site.

In the hijackthis log below have tried to remove the entries

Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\btareuig.dll

[74d31d7c] rundll32.exe "C:\WINDOWS\system32\ksdqrruq.dll",b

They both come back immediately. Norton also finds the same infection, but cannot remove it. I have done the scans and attempted removal in Safe Mode with no results. The registry entries come back IMMEDIATLY in safe mode too.

Thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:20:53 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINACS\ACSTRAY.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\btareuig.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [ACSTray] C:\WINACS\ACSTRAY.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [74d31d7c] rundll32.exe "C:\WINDOWS\system32\ksdqrruq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
 
Sort by date Sort by votes
check these 2 and click fix checked. I know they will probably come back but just do it , dont restart and continue with the rest of the instructions below. Once they have finished disable and reenable system restore. Then restart the computer and see if those 2 show back up in the log again.

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\btareuig.dll

O4 - HKLM\..\Run: [74d31d7c] rundll32.exe "C:\WINDOWS\system32\ksdqrruq.dll",b


Also, download ccleaner from the link below. After you install it, open it up, under the application tab on ccleaner, uncheck nero if you have it installed. Then run the cleaner on each account of the computer.


Now download avg anti spyware from the link below. Delete anything it finds.


There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
TomCologne,

Thanks for the reply. I did google this problem and found the site a lavasoft before. Per their instructions, HJT simply got rid of the entires. HJT will NOT remove the rogue entries here.

electronicsfreak,

Thanks for the reply! The system restore feature is turned off completely ... but still the entries return ... even after a reboot. I will download ccleaner and ewido and let you know what happens.

 
Upvote 0 Downvote
Have you tried 'SpyBot Search and Destroy'?

Home Page Link -- In Several Languages

I noticed this (trojandownloader.zlob) was detected the last time I ran a manual scan. So fat it hasn't come back.
 
Upvote 0 Downvote
I have encountered this problem on a few computers recently and after trying countless programs and countless hours to eleminate these problem files I found only one solution, one I have used in the past and almost forgot about. First try all the above excellent advice and if it fails, give this one a try.

First turn on system restore! Back up any thing you treasure, as you know anything can happen.

If you can isolate the problem files and know the exact path to them, be very sure before proceeding, go to killbox.net and download killbox, run it, type in the path to the files you want to delete, proceed to delete them, it may take a reboot to finish the process.

good luck

xit
 
Upvote 0 Downvote
Yeah killbox is a good solution for stubborn files that will not delete. Only reason I didnt suggest that right now is the ones hes deleting are coming back, so they are deleting just something is remaking them. My guess right now is something in the temp folder. Killbox though is a very very good program as I use it all the time.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Designware,
I had a friend's computer I worked on over the summer that had this (plus a lot of other nasty stuff). I went through trying different things, but I "think" what finally got rid of it were 2 apps I downloaded-one called ATF cleaner, and SuperAntispyware. But due to other issues also, I had also run Vundo remover prior to that.

I don't want to steer you in wrong direction, so if anyone knows that ATF/SuperAnti would not be a safe combo to run, please, jump in! (Electronicsfreak maybe??) lol

Melissa
 
Upvote 0 Downvote
Well ive never used either personally however super anti spyware seems to have some good reviews. Also an opinion and suggestion from me, id get rid of norton and install antivir or avg antivirus instead of it. However that is my opinion, others will disagree.

Antivir

Avg

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Robert,

Spybot did end up working. I stopped using Spybot a couple of years ago when it had sever trouble updating its definitions. But it seems that those problems have been ironed out, and it did the job this time.

Thank you everyone for the help! I've added Killbox to my arsenal now.

 
Upvote 0 Downvote
Glad you got it working and thanks for posting what got rid of.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shimmy613
  • Locked
  • Question
Avira Free: "Your computer is not secure! A Service is not working correctly"
Replies
14
Views
339
ChrisHirst
ChrisHirst
CCX008
  • Locked
  • Question
Barowwsoe2save , how can I remove this stubborn virus !! 3
Replies
10
Views
160
goombawaho
goombawaho
2ffat
  • Locked
  • News
Police: Do as we say and not as we do! 1
Replies
4
Views
86
goombawaho
goombawaho
lvis001
  • Locked
  • Question
Cannot remove "pup.bprotector" 1
Replies
6
Views
145
goombawaho
goombawaho
1DMF
  • Locked
  • Question
AVAST latest free version causing nothing but problems 2
2
Replies
20
Views
292
1DMF
1DMF

Part and Inventory Search

Sponsor

Back
Top