Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

helmecj01

2 Intern

 • 

2.4K Posts

15972

August 16th, 2007 10:00

help TROJ_ZLOB.DOT

Hi


I got this virus TROJ_ZLOB.DOT When I Delete this from quarantine will done??

File containing potential threat quarantined successfully to folder C:\Documents and Settings\Chris\Application Data\VCOM\SystemSuite\Quarantine, 4, Scanned file: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\akom23sb.default\Cache\C386DA72d01. Potential threat name: TROJ_ZLOB.DOT. User requested to quarantine file. File containing potential threat quarantined successfully.
1187263419, DELL1, Chris, Virus Scanner, File containing potential threat quarantined successfully to folder C:\Documents and Settings\Chris\Application Data\VCOM\SystemSuite\Quarantine, 4, Scanned file: C:\Documents and Settings\Chris\Local Settings\Application Data\Mozilla\Firefox\Profiles\akom23sb.default\Cache\D1778913d01. Potential threat name: TROJ_ZLOB.DOT. User requested to quarantine file. File containing potential threat quarantined successfully.





From Chris

My computer
Dell Dimension 1100
Microsoft Windows XP Home SP 2
512 MB of Ram
Nvidia Geforce FX 5200 256MB
Intel Celeron CPU 2.53GHz
HDD WDC WD800BB-75JCO 80GB C:
HDD Samsung SV2042H 20GB F:
TSSTcorp CDRWDVD TS-H492C D:
LITE-ON DVDRW LDW-851S E:
Linksys wireless-G WUSB54GS With SpeedBooster
Mozilla Firefox 2.0.0.6

My Security Software
VCOM SystemSuite 7 Professional
Windows Defender

Message Edited by helmecj01 on 08-16-2007 06:57 AM

helmecj01

2 Intern

 • 

2.4K Posts

August 16th, 2007 11:00

Hi

I have delete quarantine file






From Chris

My computer
Dell Dimension 1100
Microsoft Windows XP Home SP 2
512 MB of Ram
Nvidia Geforce FX 5200 256MB
Intel Celeron CPU 2.53GHz
HDD WDC WD800BB-75JCO 80GB C:
HDD Samsung SV2042H 20GB F:
TSSTcorp CDRWDVD TS-H492C D:
LITE-ON DVDRW LDW-851S E:
Linksys wireless-G WUSB54GS With SpeedBooster
Mozilla Firefox 2.0.0.6

My Security Software
VCOM SystemSuite 7 Professional
Windows Defender

ky331

3 Apprentice

 • 

15.6K Posts

August 16th, 2007 12:00

aside from detecting, quarantining, and deleting that file, are you experiencing any "malware-like" symptoms? --- specifically, popups and/or security "warnings"?
 
zlob is often  installed as a "codec", typically when you try view/download a video file.  
 
if you're actually experiencing problems, i'd run rogueremover and superantispyware... if you need links/details, please ask.

ky331

3 Apprentice

 • 

15.6K Posts

August 16th, 2007 13:00

different anti-spyware programs pick-up on different programs.
 
i'm not familiar at all with your VCOM suite.
 
Windows Defender is decent.
 
you didn't answer whether you're actually experiencing any noticeable problems (regardless of what windows defender finds).
 
i suggested (rogueremover and) superantispyware as i believe (they/) it might be more successful in hunting for zlob.
 
 

helmecj01

2 Intern

 • 

2.4K Posts

August 16th, 2007 13:00

Hi I just did the scan no spyware from Windows Defender



From Chris

My computer
Dell Dimension 1100
Microsoft Windows XP Home SP 2
512 MB of Ram
Nvidia Geforce FX 5200 256MB
Intel Celeron CPU 2.53GHz
HDD WDC WD800BB-75JCO 80GB C:
HDD Samsung SV2042H 20GB F:
TSSTcorp CDRWDVD TS-H492C D:
LITE-ON DVDRW LDW-851S E:
Linksys wireless-G WUSB54GS With SpeedBooster
Mozilla Firefox 2.0.0.6

My Security Software
VCOM SystemSuite 7 Professional
Windows Defender

ajgibbs

8 Posts

August 17th, 2007 21:00

Try this one, I had same problem with Virus Protection Pro that is a ZLOB, after I did what is below recommended my PC is free of this
+ + + + + +
What you have is a classic Smitfraud infection which is caused when the Trojan Zlob gets downloaded to your computer and then Zlob "phones home" to download the phony alerts.

The standard tool to remove Smitfraud is a freebie called SmitfraudFix:
http://siri.urz.free.fr/fix/smitfraudfix...
This should take care of the icon and remaining traces of the infection.

As a final step, scan for trojans and spyware and remove (free online scan, no download) with Ewido.
http://www.ewido.net/en/
This makes sure that the original Trojan Zlob, which caused all your misery in the first place, is totally removed. If Zlob remains, it can "phone home" again and re-infect your computer.

ky331

3 Apprentice

 • 

15.6K Posts

August 17th, 2007 22:00

aj,
 
I recognized Zlob as being a likely Smitfraud variant, which is why I suggested use of RogueRemover and/or SuperAntiSpyware, both of which target many (but not all) smitfraud variants.  [i don't believe Windows Defender, which Helmec was relying upon, does so]
 
SmitFraud Fix is generally reserved for use by experts in the HiJackThis forum, rather than "generic" advice here in the virus/spyware forum, for the following reasons:
1)  If SmitFraud is not (or no longer) present, RogueRemover and SuperAntiSpyware will simply report not finding it, and won't force the Smitfraud-issue beyond that.  In contrast:
1b) If SmitFraud is not (or no longer) present, and someone runs SmitFraud Fix option #2, it will remove their background ("wallpaper" ) --- even on a completely clean machine!   And then people complain that SmitfraudFix changed things it didn't have to. 
Additionally, option #1 (the "report" ), is not really useful, except to an expert who can properly interpret it.
 
2) SmitFraud Fix will run on XP (which helmec fortunately has)... however, it does *not* work properly --- and in fact, will cause major problems --- if run under Vista!!   So it's very important for any "generic" advice to include this disclaimer.
 
=============
 
as for ewido, there are reports that ewido has been "overly-aggressive" at times, removing some "UNinstallers" before completely removing the underlying infection... as such, if a person still finds the infection present, and wishes to remove it via Control Panel, Add/Remove programs, their attempt will fail, if ewido has already removed the uninstaller.
And while you may note that the HJT experts often do make use of ewido in the HJT forum, they do so only after they're reasonably certain they've already moved the major problems.
 
=================
 
again, we're glad to hear that everything worked out for you!   i don't know if you received specialized/personalized help (such as HiJackThis analysis), or if you just came across some tutorial, or found a "removal page" by googling Virus Protection Pro [or Zlob].   But we really need to be careful how we dispense generic advice in this forum.



Message Edited by ky331 on 08-17-2007 07:54 PM

helmecj01

2 Intern

 • 

2.4K Posts

August 18th, 2007 09:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:21 AM, on 18/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\QuickTime\QTTask.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-790525478-113007714-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-790525478-113007714-725345543-1004\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 7877 bytes

helmecj01

2 Intern

 • 

2.4K Posts

August 18th, 2007 09:00

Hi

I did a scan of my computer with AVG Anti-Spyware 7.5 no spware


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:02:25 AM 18/08/2007

+ Scan result:



Nothing found.



::Report end




From Chris

My computer
Dell Dimension 1100
Microsoft Windows XP Home SP 2
512 MB of Ram
Nvidia Geforce FX 5200 256MB
Intel Celeron CPU 2.53GHz
HDD WDC WD800BB-75JCO 80GB C:
HDD Samsung SV2042H 20GB F:
TSSTcorp CDRWDVD TS-H492C D:
LITE-ON DVDRW LDW-851S E:
Linksys wireless-G WUSB54GS With SpeedBooster
Mozilla Firefox 2.0.0.6

My Security Software
VCOM SystemSuite 7 Professional
AVG Anti-Spyware 7.5

Message Edited by helmecj01 on 08-18-2007 05:42 AM

ky331

3 Apprentice

 • 

15.6K Posts

August 18th, 2007 10:00

chris,
 
if you want your HJT log to be analyzed, you'll need to [re-]post it in the HiJackThis forum, here:

Was this post helpful?

View All

Top