Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Sunday 24.11.2024 / 20:56
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > how to remove win32:zlob-bn ?
Show topics
 
Forums
Forums
How to remove Win32:Zlob-BN ?
  Jump to:
 
Posted Message
bencon
Newbie
_ 		16. June 2006 @ 13:54 _ Link to this message    Send private message to this user   
Avast! tells me that my PC has a Win32:Zlob-BN infection but is unable to remove it. Zonealarm tells me that gdnFR2218.exe keeps trying to access the internet - destination IP 207.226.177.100:HTTP

Please help me remove this malware.

Below I have posted the HijackThis v1.99.1 Logfile and the SmitFraudFix v2.61 rapport.txt file.

Thanks, Ben.
===============

Logfile of HijackThis v1.99.1
Scan saved at 22:17:59, on 16/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Security\Avast4\aswUpdSv.exe
C:\Program Files\Security\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Security\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Navigator Mouse\moffice.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Navigator Mouse\MOUSE32A.DAT
C:\Program Files\Security\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINNT\system32\dcomcfg.exe
C:\Program Files\Security\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINNT\system32\hp100.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Security\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Navigator Mouse\moffice.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Security\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {01646B0A-A89F-071D-1394-79AB5216331B} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {049DDF22-C1CF-1C3A-BA03-290D0C4B7979} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {04DCBC7F-FB6A-4D4F-4041-53C663D2AFE1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {080FA756-3717-3676-5B21-4E8D424D8CBF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {0D685D55-5609-3880-713B-75A27D69F272} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {0E6EB687-6AF9-1857-53A8-7C472DC3E03B} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {0F24DF64-DD0D-0A14-E71A-688F41C876DF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {124F4AC9-0815-683E-4B75-0901623862DA} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {13A145F3-F6AB-6EF4-3A77-3FBC5E8B1C00} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {13C7B206-B5B7-390B-35F0-6B3C27797481} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {177F568D-CAC1-0A48-6A27-5F265CDE7D70} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {1B014A0C-D63E-7ADA-4CA7-21586DD84B95} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {1DC4D46F-D5FB-02B8-B034-3BE343D014D5} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {20CC6DA2-5509-453E-F80B-68B1263EF9EE} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {21F96F99-5392-55D4-1A84-31375DBB3D08} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2497FB97-A73E-037C-EA5E-7D972FDAA0F9} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {25DD802C-B498-4C07-ECDC-61C751C593D3} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {28EC9BCF-BC52-2DB3-20AE-4DB715818A56} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {29E6A309-77D0-0F3A-E286-6AF90EB6A6E6} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2A087A7B-ED38-3515-83CF-627577E9103E} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2D88BCE8-8795-4413-09F6-164602F1F8F7} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2D986652-3037-5BBD-6A80-5DBE40F93C27} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {32E71B8D-2F1F-1510-F8E6-2AAA3E5A403A} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {3327B3A8-D69F-5352-93A9-118611E43AED} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {34D61ED8-F222-6E4F-8D7C-73407BC0BC87} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {3D293E2E-1CBE-7C40-5C4F-60DA43883650} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {3D4217C1-204F-6744-B03F-6CE650A0510A} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {421097F7-046F-1B24-972C-334866DB2338} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {434003B9-8AED-536F-D372-04927B45DA38} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {475CE4D9-1403-66BD-6D73-017568C22E1E} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4A11E64E-E2BD-6DF4-5316-03BE3DC8DEC1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4C7E925C-7967-1ED9-CD1E-264176A2B6ED} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4C997C28-FD00-6A61-AF86-76D6710B78A1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4FF3E0DC-CBAB-678A-133F-66391CC4DEEB} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {527F5534-E203-135E-396C-78ED1464BE36} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {53320E56-E5F5-539F-66F4-1F7E265BA8CB} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {54E97A32-36CB-5FD2-E20C-77CB01E263A2} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {581E2C86-0348-122D-F9C3-25953B6EA36C} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {589D1D1C-6BD9-02E7-733A-7A26188ACCC0} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {59B9A677-C49B-31C8-5431-1755136CF6F1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {5FBAD680-5E1D-5B6D-B460-34941ED7BF53} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {62891EA9-1166-288A-A75F-660C0B4ECC84} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {63856EE3-316A-68F0-5EDE-587D5309306B} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {64AF3094-76E3-5912-B58D-4AE70BB12EBF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {660F34D7-6905-4B6B-387D-348B0C87AAE4} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {66729FFC-3BD2-149A-1EF8-3D804CBAB71F} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {6B4ECAEF-DE69-4627-0C06-520B42478EAA} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {6E0CEA27-E34D-4F6C-12A9-35BA6E19070C} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/n...
O16 - DPF: {735D1EA0-45CB-0003-A2B3-359C1222DEAF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7CACFCCF-7C28-6C25-635E-545628332004} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Security\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Security\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Security\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

SmitFraudFix v2.61

Scan done at 22:37:23.49, Fri 16/06/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\dcomcfg.exe FOUND !
C:\WINNT\system32\hp???.tmp FOUND !
C:\WINNT\system32\hp????.tmp FOUND !
C:\WINNT\system32\ld????.tmp FOUND !
C:\WINNT\system32\ot.ico FOUND !
C:\WINNT\system32\regperf.exe FOUND !
C:\WINNT\system32\simpole.tlb FOUND !
C:\WINNT\system32\stdole3.tlb FOUND !
C:\WINNT\system32\ts.ico FOUND !
C:\WINNT\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

C:\DOCUME~1\ADMINI~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{05a91164-3c96-47d6-aa74-2c855791b2d0}"="incaged"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
[ + quote]
Advertisement
_ 		__
-kemisti-
AfterDawn Addict
_ 		17. June 2006 @ 03:14 _ Link to this message    Send private message to this user   
Hi bencon

Fix with HjT (do a system scan only, checkmark these and press fix checked):

O16 - DPF: {01646B0A-A89F-071D-1394-79AB5216331B} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {049DDF22-C1CF-1C3A-BA03-290D0C4B7979} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {04DCBC7F-FB6A-4D4F-4041-53C663D2AFE1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {080FA756-3717-3676-5B21-4E8D424D8CBF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {0D685D55-5609-3880-713B-75A27D69F272} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {0E6EB687-6AF9-1857-53A8-7C472DC3E03B} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {0F24DF64-DD0D-0A14-E71A-688F41C876DF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {124F4AC9-0815-683E-4B75-0901623862DA} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {13A145F3-F6AB-6EF4-3A77-3FBC5E8B1C00} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {13C7B206-B5B7-390B-35F0-6B3C27797481} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {177F568D-CAC1-0A48-6A27-5F265CDE7D70} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {1B014A0C-D63E-7ADA-4CA7-21586DD84B95} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {1DC4D46F-D5FB-02B8-B034-3BE343D014D5} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {20CC6DA2-5509-453E-F80B-68B1263EF9EE} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {21F96F99-5392-55D4-1A84-31375DBB3D08} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2497FB97-A73E-037C-EA5E-7D972FDAA0F9} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {25DD802C-B498-4C07-ECDC-61C751C593D3} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {28EC9BCF-BC52-2DB3-20AE-4DB715818A56} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {29E6A309-77D0-0F3A-E286-6AF90EB6A6E6} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2A087A7B-ED38-3515-83CF-627577E9103E} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2D88BCE8-8795-4413-09F6-164602F1F8F7} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {2D986652-3037-5BBD-6A80-5DBE40F93C27} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {32E71B8D-2F1F-1510-F8E6-2AAA3E5A403A} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {3327B3A8-D69F-5352-93A9-118611E43AED} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {34D61ED8-F222-6E4F-8D7C-73407BC0BC87} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {3D293E2E-1CBE-7C40-5C4F-60DA43883650} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {3D4217C1-204F-6744-B03F-6CE650A0510A} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {421097F7-046F-1B24-972C-334866DB2338} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {434003B9-8AED-536F-D372-04927B45DA38} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {475CE4D9-1403-66BD-6D73-017568C22E1E} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4A11E64E-E2BD-6DF4-5316-03BE3DC8DEC1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4C7E925C-7967-1ED9-CD1E-264176A2B6ED} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4C997C28-FD00-6A61-AF86-76D6710B78A1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {4FF3E0DC-CBAB-678A-133F-66391CC4DEEB} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {527F5534-E203-135E-396C-78ED1464BE36} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {53320E56-E5F5-539F-66F4-1F7E265BA8CB} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {54E97A32-36CB-5FD2-E20C-77CB01E263A2} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {581E2C86-0348-122D-F9C3-25953B6EA36C} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {589D1D1C-6BD9-02E7-733A-7A26188ACCC0} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {59B9A677-C49B-31C8-5431-1755136CF6F1} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {5FBAD680-5E1D-5B6D-B460-34941ED7BF53} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {62891EA9-1166-288A-A75F-660C0B4ECC84} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {63856EE3-316A-68F0-5EDE-587D5309306B} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {64AF3094-76E3-5912-B58D-4AE70BB12EBF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {660F34D7-6905-4B6B-387D-348B0C87AAE4} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {66729FFC-3BD2-149A-1EF8-3D804CBAB71F} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {6B4ECAEF-DE69-4627-0C06-520B42478EAA} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {6E0CEA27-E34D-4F6C-12A9-35BA6E19070C} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {735D1EA0-45CB-0003-A2B3-359C1222DEAF} - http://85.255.113.214/1/gdnFR2218.exe
O16 - DPF: {7CACFCCF-7C28-6C25-635E-545628332004} - http://85.255.113.214/1/gdnFR2218.exe

Please download ewido anti-malware it is a free version of the program -> http://www.ewido.net/en/download/

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
* Install background guard
* Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
6. You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates -> http://download.ewido.net/ewido-signatures-full-current.exe Make sure to close Ewido before installing the update.

Once the updates are installed do the following:

Reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

* Double-click smitfraudfix.cmd
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt


Then launch ewido:

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* You will be prompted to clean the first infection.
* Select "Perform action on all infections", then proceed.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Reboot back to normal mode

Send ewido report, a fresh HjT log and contents of c:\rapport.txt
[ + quote]
bencon
Newbie
_ 		17. June 2006 @ 06:36 _ Link to this message    Send private message to this user   
HI kemisti,

Thanks for taking the time to read my logs and post a set of instructions. Here is the output.

Is the PC now clean?

Ben

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:18:52, 17/06/2006
+ Report-Checksum: 809E1BE8

+ Scan result:

No infected objects found.


::Report End
==========

Logfile of HijackThis v1.99.1
Scan saved at 15:26:17, on 17/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Security\Avast4\aswUpdSv.exe
C:\Program Files\Security\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Security\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Navigator Mouse\moffice.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Security\ZoneAlarm\zlclient.exe
C:\Program Files\Navigator Mouse\MOUSE32A.DAT
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Security\Avast4\ashMaiSv.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Security\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Navigator Mouse\moffice.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Security\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/n...
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Security\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Security\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Security\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
==========

SmitFraudFix v2.61

Scan done at 14:23:38.80, Sat 17/06/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
==========
[ + quote]
-kemisti-
AfterDawn Addict
_ 		17. June 2006 @ 07:04 _ Link to this message    Send private message to this user   
Looking good, yes.

Java update is needed, though:

Go http://java.sun.com/j2se/1.5.0/download.jsp here and download and install JRE 5.0 Update 7. Click the link that says Download JRE 5.0 Update 7. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-1_5_0_07-windows-i586-p.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 1.
[ + quote]

This message has been edited since posting. Last time this message was edited on 17. June 2006 @ 07:04
bencon
Newbie
_ 		18. June 2006 @ 10:37 _ Link to this message    Send private message to this user   
Hi kemisti,

Many thanks for your help my friend. My computer is behaving itself once again.

Thanks also for the tip about the JRE update which I've now installed. I also added the 'NoScript' plug-in to FireFox.

Keep up the good work. Regards, Ben
[ + quote]
Advertisement
_ 		__
 
_
-kemisti-
AfterDawn Addict
_ 		18. June 2006 @ 22:24 _ Link to this message    Send private message to this user   
You're welcome :)
[ + quote]
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > how to remove win32:zlob-bn ?
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork