We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
Trojan Horses: Zafi B to Zlob.AJKB
johnllew
Posts: 1,928 Forumite
in Techie Stuff
AVG 8 detected a Zafi B virus on my daughter's PC; I'm not sure how/where she got it but AVG 8 was apparently up to date at the time. I couldn't get rid of it so downloaded vcleaner.exe from AVG on to a flash drive via my PC and then used it when rebooting my daughter's PC in safe mode. It completed a scan but left no result. I then restarted my daughter's PC and AVG detected a Zlob.AJKB virus. It was moved to the Virus Vault & deleted but every time I tried a full scan of the system, it crashed and I got a Blue Screen Error report: one referred to a device or driver problem and another referred to a wireless network problem. I'm wondering if the virus has something to do with the crashes?
So I disconnected from the internet and managed a full AVG scan which was clean. Left the PC on for a couple of hours without being used and next time I look, the Zlob virus is back.
Should I try to solve starting with Browntoa's advice beginning with Malwarebytes' Anti-Malware in the sticky or is there likely to be more to it than that? Is the virus likely to interfere with downloading a solution (which was why I understood I needed to download vcleaner to my PC first).
All advice gratefully accepted.
So I disconnected from the internet and managed a full AVG scan which was clean. Left the PC on for a couple of hours without being used and next time I look, the Zlob virus is back.
Should I try to solve starting with Browntoa's advice beginning with Malwarebytes' Anti-Malware in the sticky or is there likely to be more to it than that? Is the virus likely to interfere with downloading a solution (which was why I understood I needed to download vcleaner to my PC first).
All advice gratefully accepted.
0
Comments
-
Malwarebytes
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2- Make sure you are connected to the Internet.
- Double-click on mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- If an update is found, the program will automatically update itself.
- Press the OK button to close that box and continue.
- If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
- If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad.
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
0 -
I would then be incline to follow it up with an online scan, using something like Nod32 - it's free and will take a while to run
Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.- Check (tick) this box: YES, I accept the Terms of Use.
- Click on the Start button next to it.
- When prompted to run ActiveX. click Yes.
- You will be asked to install an ActiveX. Click Install.
- Once installed, the scanner will be initialized.
- After the scanner is initialized, click Start.
- Uncheck (untick) Remove found threats box.
- Check (tick) Scan unwanted applications.
- Click on Scan.
- It will start scanning. Please be patient.
- Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.
0 -
Thanks. I used MBAM and during the scan got a Resident Shield alert from AVG:threat detected!
File name: C:\System Volume Information\_restore{F&BE9A58-2D68-4AE6-BD9E-C8890908EE1C}\RP880\A0129264.dll
threat name: Trojan horse Downloader.Zlob.AJKB
Detected on open.
I haven't healed or moved to vault yet. Can't see it in the log file. Any idea what's going on?
Here's the MBAM log file:
Malwarebytes' Anti-Malware 1.34
Database version: 1778
Windows 5.1.2600 Service Pack 3
19/02/2009 13:22:29
mbam-log-2009-02-19 (13-22-29).txt
Scan type: Quick Scan
Objects scanned: 67970
Time elapsed: 6 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\!!87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\!!6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\!!7819bded-4ab8-4b4b-83da-f2823b146ddd} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\!!38be0c64-3fd2-44b2-a94b-ba16bf860e01} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b2c002ef-dba8-4b96-ac9d-7d231aa2fb56} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!3b5e9b23-7537-4601-a9e8-fa0d956dea16} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\csauie1.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Annie\Favorites\MP3 Download, music mp3 downloads. ALLOFMP3..url (Rogue.Link) -> Quarantined and deleted successfully.0 -
The detected file is in your system restore - we can clean that up when you are properly clean.
Have you run Nod32 yet?0 -
Reluctant_spender wrote: »Have you run Nod32 yet?0
-
Eset found nothing but I couldn't find the log file.0
-
Another alert:threat detected!
File name: C:\System Volume Information\_restore{F&BE9A58-2D68-4AE6-BD9E-C8890908EE1C}\RP881\A0129303.exe
threat name: Trojan horse Downloader.Zlob.AIAJ
Detected on open.0 -
-
That is in your System restore
flush your restore points as below;-
- Turn System Restore off
- On the Desktop, right click on the My Computer icon.
- Click Properties.
- Click the System Restore tab.
- Check Turn off System Restore.
- Click Apply, and then click OK.
- Turn System Restore on
- On the Desktop, right click on the My Computer icon.
- Click Properties.
- Click the System Restore tab.
- Uncheck *Turn off System Restore*.
- Click Apply, and then click OK.
0 -
This discussion has been closed.
Categories
- All Categories
- 347.2K Banking & Borrowing
- 251.6K Reduce Debt & Boost Income
- 451.8K Spending & Discounts
- 239.4K Work, Benefits & Business
- 615.3K Mortgages, Homes & Bills
- 175.1K Life & Family
- 252.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 15.1K Coronavirus Support Boards