1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Win32:Zlob-BN

Discussion in 'Windows - Virus and spyware problems' started by majkelos, Jun 20, 2006.

  1. majkelos

    majkelos Guest

    My computer is also infected with the Win32:Zlob-BN. I'm using Avast Antivirus and Kerio Personal Firewall. Although Avast deletes the virus, it comes back over and over again. I've just read the other people's posts and hints. I look forward to your quick help. Thank you in anticipation.

    Here's my HijakcThis log and SmitFraudFix log.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:12:15, on 2006-06-20
    Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\Ati2evxx.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\system32\Ati2evxx.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\system32\spoolsv.exe
    E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    E:\Program Files\Winamp\winampa.exe
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\WINDOWS\system32\ctfmon.exe
    E:\Program Files\Messenger\msmsgs.exe
    E:\Program Files\Gadu-Gadu\gg.exe
    E:\PROGRA~1\INCRED~1\bin\IncMail.exe
    E:\Program Files\Konnekt\konnekt.exe
    E:\Program Files\Skype\Phone\Skype.exe
    E:\WINDOWS\twain_32\C6U14K\WATCH.exe
    E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    E:\Program Files\Alwil Software\Avast4\ashServ.exe
    E:\Program Files\Kerio\Personal Firewall\persfw.exe
    E:\WINDOWS\system32\svchost.exe
    E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    C:\totalcmd\TOTALCMD.EXE
    E:\Program Files\Alwil Software\Avast4\ashSimpl.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [WhenUSearchWHSE] "E:\Program Files\WhenUSearch\whse.exe"
    O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [BearShare] "E:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [ImInstaller_IncrediMail] E:\DOCUME~1\mikey\USTAWI~1\Temp\ImInstaller\IncrediMail\IncrediMail_Install.exe -startup -product IncrediMail
    O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray
    O4 - HKCU\..\Run: [Free Download Manager] E:\Program Files\Free Download Manager\fdm.exe -autorun
    O4 - HKCU\..\Run: [IncrediMail] E:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Konnekt] "E:\Program Files\Konnekt\konnekt.exe" /autostart
    O4 - HKCU\..\Run: [Skype] "E:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Watch.lnk = E:\WINDOWS\twain_32\C6U14K\WATCH.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - E:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe (file missing)
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - E:\Program Files\Kerio\Personal Firewall\persfw.exe


    SmitFraudFix v2.62

    Scan done at 10:22:00,78, 2006-06-20
    Run from E:\Documents and Settings\mikey\Pulpit\SmitfraudFix
    OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» E:\


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32

    E:\WINDOWS\system32\ld????.tmp FOUND !
    E:\WINDOWS\system32\ot.ico FOUND !
    E:\WINDOWS\system32\regperf.exe FOUND !
    E:\WINDOWS\system32\stdole3.tlb FOUND !
    E:\WINDOWS\system32\ts.ico FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\mikey\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\mikey\Ulubione

    E:\DOCUME~1\mikey\Ulubione\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    E:\DOCUME~1\ALLUSE~1\Pulpit\Online Security Guide.url FOUND !
    E:\DOCUME~1\ALLUSE~1\Pulpit\Security Troubleshooting.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="Moja bieľĄca strona gˆ˘wna"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{f85e05f5-667e-41b0-ab8a-147337a99e65}"="bloodthirst"

    [HKEY_CLASSES_ROOT\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="E:\WINDOWS\system32\xuefh.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{f85e05f5-667e-41b0-ab8a-147337a99e65}\InProcServer32]
    @="E:\WINDOWS\system32\xuefh.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  2. Jurppis

    Jurppis Regular member

    Joined:
    Feb 22, 2006
    Messages:
    659
    Likes Received:
    0
    Trophy Points:
    26
    Hi majkelos,

    Delete this program via add/remove programs in control panel:

    WhenUSearch

    After that, restart your computer to the safemode
    http://www.pchell.com/support/safemode.shtml

    In safe mode, first delete this folder if it exists E:\Program Files\->WhenUSearch. Then open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.

    Tha log is saved to your local diskdrive, usually C:\rapport.txt. Post also a new HijackThis log.
     

Share This Page