We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

Trojan Horses: Zafi B to Zlob.AJKB

AVG 8 detected a Zafi B virus on my daughter's PC; I'm not sure how/where she got it but AVG 8 was apparently up to date at the time. I couldn't get rid of it so downloaded vcleaner.exe from AVG on to a flash drive via my PC and then used it when rebooting my daughter's PC in safe mode. It completed a scan but left no result. I then restarted my daughter's PC and AVG detected a Zlob.AJKB virus. It was moved to the Virus Vault & deleted but every time I tried a full scan of the system, it crashed and I got a Blue Screen Error report: one referred to a device or driver problem and another referred to a wireless network problem. I'm wondering if the virus has something to do with the crashes?

So I disconnected from the internet and managed a full AVG scan which was clean. Left the PC on for a couple of hours without being used and next time I look, the Zlob virus is back.

Should I try to solve starting with Browntoa's advice beginning with Malwarebytes' Anti-Malware in the sticky or is there likely to be more to it than that? Is the virus likely to interfere with downloading a solution (which was why I understood I needed to download vcleaner to my PC first).

All advice gratefully accepted.
«1

Comments

  • Malwarebytes

    Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself.
    • Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
    On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
  • I would then be incline to follow it up with an online scan, using something like Nod32 - it's free and will take a while to run
    Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
    1. Check (tick) this box: YES, I accept the Terms of Use.
    2. Click on the Start button next to it.
    3. When prompted to run ActiveX. click Yes.
    4. You will be asked to install an ActiveX. Click Install.
    5. Once installed, the scanner will be initialized.
    6. After the scanner is initialized, click Start.
    7. Uncheck (untick) Remove found threats box.
    8. Check (tick) Scan unwanted applications.
    9. Click on Scan.
    10. It will start scanning. Please be patient.
    11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.
  • johnllew
    johnllew Posts: 1,928 Forumite
    Thanks. I used MBAM and during the scan got a Resident Shield alert from AVG:
    threat detected!

    File name: C:\System Volume Information\_restore{F&BE9A58-2D68-4AE6-BD9E-C8890908EE1C}\RP880\A0129264.dll

    threat name: Trojan horse Downloader.Zlob.AJKB
    Detected on open.

    I haven't healed or moved to vault yet. Can't see it in the log file. Any idea what's going on?

    Here's the MBAM log file:

    Malwarebytes' Anti-Malware 1.34
    Database version: 1778
    Windows 5.1.2600 Service Pack 3
    19/02/2009 13:22:29
    mbam-log-2009-02-19 (13-22-29).txt
    Scan type: Quick Scan
    Objects scanned: 67970
    Time elapsed: 6 minute(s), 20 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 16
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 1
    Files Infected: 5
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\!!9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\!!87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\!!6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\!!7819bded-4ab8-4b4b-83da-f2823b146ddd} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\!!38be0c64-3fd2-44b2-a94b-ba16bf860e01} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{b2c002ef-dba8-4b96-ac9d-7d231aa2fb56} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\!!3b5e9b23-7537-4601-a9e8-fa0d956dea16} (Adware.Coupons) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
    Files Infected:
    C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
    C:\WINDOWS\csauie1.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Annie\Favorites\MP3 Download, music mp3 downloads. ALLOFMP3..url (Rogue.Link) -> Quarantined and deleted successfully.
  • The detected file is in your system restore - we can clean that up when you are properly clean.

    Have you run Nod32 yet?
  • johnllew
    johnllew Posts: 1,928 Forumite
    Have you run Nod32 yet?
    That's next; I just wanted to know if I needed to do anything else first. I'll move the virus to the vault and try Nod32. Report soon.
  • johnllew
    johnllew Posts: 1,928 Forumite
    Eset found nothing but I couldn't find the log file.
  • johnllew
    johnllew Posts: 1,928 Forumite
    Another alert:
    threat detected!

    File name: C:\System Volume Information\_restore{F&BE9A58-2D68-4AE6-BD9E-C8890908EE1C}\RP881\A0129303.exe

    threat name: Trojan horse Downloader.Zlob.AIAJ
    Detected on open.
  • gaming_guy
    gaming_guy Posts: 6,128 Forumite
    1,000 Posts Combo Breaker
    johnllew wrote: »
    Another alert:
    thats because its hiding in a restore point as pointed out above
  • DCFC79
    DCFC79 Posts: 40,610 Forumite
    Part of the Furniture 10,000 Posts Name Dropper
    johnllew wrote: »
    Another alert:

    reluctant spender said it would be sorted when the machines clean
  • That is in your System restore

    flush your restore points as below;
      • Turn System Restore off
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Check Turn off System Restore.
      • Click Apply, and then click OK.
      Restart
      • Turn System Restore on
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Uncheck *Turn off System Restore*.
      • Click Apply, and then click OK.
      Note: only do this once, and not on a regular basis
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 347.2K Banking & Borrowing
  • 251.6K Reduce Debt & Boost Income
  • 451.8K Spending & Discounts
  • 239.4K Work, Benefits & Business
  • 615.3K Mortgages, Homes & Bills
  • 175.1K Life & Family
  • 252.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.