PC Infected with Virus!

[trader21]

A infection called Trojan horse Downloader.Zlob.CP is raving my pc. Antivirus say it cannot be healed or deleted since its inside a archive with a name E:\System Volume Information\_restore{D714CDB1-95D7-4C71-99A8-4E992AFF902E}\RP33\A0004082.exe:\run.exe
Is there any way to get rid of it other than formatting hard disc? pls help.

thanks
Saurabh

 

[pkjha30]

A infection called Trojan horse Downloader.Zlob.CP is raving my pc. Antivirus say it cannot be healed or deleted since its inside a archive with a name E:\System Volume Information\_restore{D714CDB1-95D7-4C71-99A8-4E992AFF902E}\RP33\A0004082.exe:\run.exe
Is there any way to get rid of it other than formatting hard disc? pls help.

thanks
Saurabh

Hi Saurabh

My sympathies are with you.
You can visit http://www.newbie.org/help/index.php?showtopic=2572
and use instructions available there to remove this trojan.
Incase you are still having trouble,please post with details.
As a caution never install codec files from unknown sites especially showing x-rated pictures.
use regcleaner and zonealarm.(google it)
use firefox 2.0(just released)
pankaj

 

[trader21]

Among those zillion instructions in the weblink i could not find any relevant to fix the trojan. Pls be specific. Can the utilities suggested there be trusted?

I visit very few sites like nseindia, traderji, gmail and yahoo. I dunno if they provide x rated content
I have 'jv_16 power tools', a very powerful registry remover.
I had zone alrm sm mnths back when i used to surf a lot. Do i need to install it again?( i already hv too many s/w, games etc. installed)
I am already using firefox 2.0. I hv xp sp2(pro) and 2000.
Can it cause bad sectors in my hard disk or any other h/w damage?

Thanks for the prompt reply.
Saurabh.

 

[saji oommen]

Hello,

Try Ewido. Now it is known as AVG Antispyware. Another method is go to any of antivirus websites like Mcafee, AVG, etc and download a standalone cleaner for the trojan. If not try microsoft issues a virus cleaner every month or lavasofts adware.

 

[pkjha30]

Among those zillion instructions in the weblink i could not find any relevant to fix the trojan. Pls be specific. Can the utilities suggested there be trusted?

I visit very few sites like nseindia, traderji, gmail and yahoo. I dunno if they provide x rated content
I have 'jv_16 power tools', a very powerful registry remover.
I had zone alrm sm mnths back when i used to surf a lot. Do i need to install it again?( i already hv too many s/w, games etc. installed)
I am already using firefox 2.0. I hv xp sp2(pro) and 2000.
Can it cause bad sectors in my hard disk or any other h/w damage?

Thanks for the prompt reply.
Saurabh.

You have to follow all those zillion instructions step by step and then only you can really remove this trojan.Moreover you need simple but effective registry cleaner. If jv does the task so much the better. Run hijakthis tool and for scan only and then veryfy the log. It will tell you which registry entry to remove. Also disable sys restore, delete sys restore volume and then reboot, enable it again. In registry cleaner it will list all registry entries and delete manually all such offensive entries.Thereafter use automatic cleaner.

Also try to remember when this happened first and which site you had visited or what software you had downloaded.Delete all such softwares and also remove entries from registry.Also run ewido or AVG as suggested by saji and also in the link.
zone alarm is only preventive.

This trojan has low threat rating but high annoyance value. It will infect many files.
Yes it can affect mbr, partition table after sometime because of its activities.
Ultimate solution is to reformat the disc twice and then reinstall.

 

[trader21]

Thanks Saji and Pankaj. Gimme some time to dwnload and run hijackthis.

 

[trader21]

I run avg scan daily in the morning. As far as i can rmbr, yesterday i visited 2-3 blogs@blogspot. I run avgas once in a week. 2day morning it gave the following result:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:22:12 AM 10/30/2006

+ Scan result:

:mozilla.16:d:\Documents and Settings\Saurabh\Application Data\Mozilla\Firefox\Profiles\55fal6fd.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.20:d:\Documents and Settings\Saurabh\Application Data\Mozilla\Firefox\Profiles\55fal6fd.default\cookies.txt -> TrackingCookie.Com : Cleaned.

::Report end

jv16 had shown 4 registry entries with high threat. I removed all of them.

hijackthis gives the following log:
Logfile of HijackThis v1.99.1
Scan saved at 7:59:05 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\tp4mon.exe
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Sify Broadband\BBImpSec.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\NOTEPAD.EXE
E:\hijackthis\HijackThis.exe


O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SifyBB] D:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BC55E40-2955-4768-9694-75658218902D}: NameServer = 202.144.50.4,202.144.13.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BC55E40-2955-4768-9694-75658218902D}: NameServer = 202.144.50.4,202.144.13.50
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BC55E40-2955-4768-9694-75658218902D}: NameServer = 202.144.50.4,202.144.13.50
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

avg and mc cafee scan now shows no virus found. I havent tried anything else.
Wether the infection is removed or not u have provided very useful information.
Guess it will help many since such threats from the internet are not uncommon.

regards

 

[pkjha30]

Next time you can run hijackthis without doing anything so that it will report all processes running during infected state.. From the above log file I think it is clear.
However there are couple of things you should do. Run msconfig and see what are the processes started during boot up. You can use startup inspector also.
Disable/delete unknown processes.
Clear all your restore points in sys volume manually and then reboot and enable it again. You will not be able to go back to a previous state but then they might still contain trojan.
From now on use zone alarm and block all ports except 80, 8080, 21 and examine any request for opening ports to see if it is genuine.Port for msn, ymssn, Mysql(if you are running) can be enabled later.
Close all ICMP ports.
Disable WINS,microsoft network file and printer service(you may not be needing that).
Run portscan(use some online utility) to check for open ports.

Hope these additional precautions help in addition to avoiding anything that has X attached to it.


These

 

[raosrinivas]

download free virus cleaner(for home and non commercial use) http://avast.com/ and try that.

thanks
Srinivas

 

[trader21]

From the above log file I think it is clear.

It will take me some time to learn all those things Sir. An' for the x or y or z things I think its better to trust frnds rather than weblinks

Happy Trading.