Gee , here we go again. I used this clickity some one put up and the screen flashed . I knew something loaded and now I am getting security warnings to load this or that program to protect my computer . I deleated every thing I could find that had loaded but it's still here . Some of the identifiers are www.virusburst.com -http://testonsecurity.com and spyware. cyberlog-X.or something like that. I tried fixing item 02 no name BHO but it's still there too.here is my HJL .

Logfile of HijackThis v1.99.1
Scan saved at 10:22:48 PM, on 10/1/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\System32\issearch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\MMaestro\BWheel35.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\ktdata\sysmon32.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\ismini.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://67-72chevyt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windows update.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosi te.com;*.dir.untd.com;*.prod.untd.com;*.tvguide.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sysmon] c:\ktdata\sysmon32.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EAAA77C-2EF7-44A1-8C74-DF94D8BB13C9}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EAAA77C-2EF7-44A1-8C74-DF94D8BB13C9}: NameServer = 64.136.20.121 64.136.28.121
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Close all programs that are running (including this browser window).

Open Hijackthis, choose SCAN ONLY. Put a checkmark next to this line in Hijackthis and click the FIX button:
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll

Reboot. Go back in and delete the file [b]ixt0.dll[/v].

Scan another logfile afterwards and post it here, let me know if the problem persists.

Also, go install SP2 for Windows XP, it has a lot of security updates to prevent crap like this from exploiting your system. Here is a download link: http://www.microsoft.com/windowsxp/sp2/default.mspx

Let me know how all goes.

Shifty I tried the outlined steps with all windows closed , I tried both online and off and the program will not delete . The message is cannot delete another person or program is using- ect .

What i find in system 32 is ixT0.dll

issearch

isnotify

ismini

ishost

AVG today found -trojan horse downloader.agent.FVS.
c\windows\temp\ia.exe or
ja.exe ?


I do have SP2 and all the hot fixes in add or remove programs . At the present time I would guess I am disowned by micro soft after being classified XP counterfeit copy . Funny they are also telling my wife that her brand new Hewlett packard that has never been touched is also tagged counterfeit XP :confused:


Thanks.

.

First off, if your wife is being tagged as counterfit and so are you, this happened to me after contracting some spyware recently. If you have a legitimate copy with the license (the sticker should be on, under,behind the computer somewhere), call their 1-800 number (they should give it to you when you click the coutnerfit popup balloon) and talk to them about this. They will help you get rid of that stupid crap popup stuff and get your system legit without paying any money.

As for your infection, congrats, you have contracted the Zlob trojan. It's a pain in the ass to get rid of. Rather than try to help you get rid of it, Im going to give you a suggestion:

Use System Restore to revert your computer back to the day BEFORe you got infected. System REstore can be found in the Start menu under Programs>Accessories>System

Choose hte option to restore your computer to a previous time. As you walk through the restore wizard, you will eventually be asked to pick a day on the calendar to restore to - dates in blue/bold are ones you can roll back to.

Once you've gotten there, I would do a full scan online at http://housecall.trendmicro.com - this will take some time.

This is a tough one to get rid of - an employee got it a few weeks ago - it took me 8 hours to completely get rid of the bastard, and I didn't write down how I did it (lots of folder/file permissions changes and registry hacking, which is advanced stuff). All I remember is every time I would kill it, it would download more crap from some hidden file on reboot and I would have 5x as much crap on it as before. :( Very annoying.

I just hope it lets you restore - his wouldn't.

Please let me know the results of the restore, then the scan.

PS - this is the description of what you are infected with:

Description:

isnotify.exe is a process associated with Trojan.W32.Zlob. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. If found on your system make sure that you have downloaded the latest update for your antivirus application.


It's always good to be aware of what you're up against and what the penalties of your actions online can be. :)

I got this a couple of days ago. Was trying to watch a video and it said I needed to d/l a plugin.. Video Codec 9... dont do this! lol.. I tried all kinds of different scanners. Spybot removed part of it, at least allowing the machine to function decently.. IE was totally messed up, it wouldnt even go anywhere near any antivirus company's website. It would just take you to their links. I ended up using Opera to navigate the web looking for a cure. Trend Micro's virus scanner found nothing at all. Trend Micro Housecall found it, but locked up during removal. Learned something else. Trend recommended disabling System Restore and doing the scan in safe mode.. well try System Restore first.. cause after you disable it, it erases all your restore points.

Finally I d/l'd Hijack This. I then copied/pasted the log file into their online analyzer. I deleted everything it marked as a problem. It also pointed to a couple of files in a program folder.... marked "Video Codec" which also happened to have been created at exactly the time I started having trouble. So I deleted this folder. After this I ran various virus and malware scans.. no more trouble! Yippee!

Shifty , I didn't use system restore . I knew the time that I got it so I went thru all of system 32 and found everything with that known creation date and also showed improper properties discriptions . It was actually in 10 or 12 places . I used my overwrite program and then safe mode to get rid of all offending items. This is the second day and no sign of a return . Shifty , thanks for you help again . I was able to get rid of it only because of what I have learned from you .

Logfile of HijackThis v1.99.1
Scan saved at 9:10:23 PM, on 10/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\MMaestro\BWheel35.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\ktdata\sysmon32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://67-72chevyt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*microsoft.com;*windows update.com;*wustat.windows.com;*.pogo.com;*.worldwinner.com;*test-speed.com;liveupdate.symantecliveupdate.com;*symantec.com;*.nai.com;*.networkassociates.com;*photosi te.com;*.dir.untd.com;*.prod.untd.com;*.tvguide.com;<local>
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] C:\MMaestro\BWheel35.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sysmon] c:\ktdata\sysmon32.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EAAA77C-2EF7-44A1-8C74-DF94D8BB13C9}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EAAA77C-2EF7-44A1-8C74-DF94D8BB13C9}: NameServer = 64.136.20.121 64.136.28.121
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

i will leave you with a little tidbit as far as cleanup goes.

there is a program out there called 'smitRem'. you can use Google to find it. it will scan for leftovers from this infection and several others and remove them. very useful.

Also, Ewido will also find them and give you a graphical display. I tried several times to get rid of Zlob and all the added crap using Ewido and it just couldn't seem to do it. Ewido is free for 30 days: www.ewido.com

I know you're satisfied it's clean, but actually I think both of you should download, install, update and then scan with Ewido just to be 100%

if it finds anything, let me know. i thought i had that bastard licked too and i missed one piece of it! after three reboots (a couple of days) the downloader portion of this infection re-downloaded everything again and reinfected me :)

sneaky little bugger!!

oh - one other thing!!!

with regard to checking creation dates, that is VERY smart on your part!

one of the ways i killed this infection was to go into the \windows\system32 folder, clicked on "View" menu and chose "Details" to show all file information on everything in there. i then sorted everything by creation date and this is how i found the downloader - every time i rebooted, it would rename the downloader to some random series of characters and it would have a creation date within the last 72 hours.

i killed it (finally) by removing all permissions to the file, taking ownership of it, then adding execution permissions for me only. when i rebooted, the system did not have adequate permissions to execute the file.

Uhhhh , seems you are right on . The EWIDO scan said the following downloaders are in place

Mediket.br
.zlob.anb
.zlob.ans
.zlob.ana
.agent.ayq

Looks like more practice for me .


.

hehe

Told you so. There's a reason it took me 8 hours of work to get rid of the bastard. That's why I suggested just doing a System REstore and going back to a day before it's installed.

I will leave you with these two thoughts for you to dork with and help you if you want to ask for help or just get frustrated:

Link to my thoughts on how to alter file permissions:

http://www.myunreal.com/showthread.php?t=73484

Pay special attention where I mention finding the "DLL" file, then right-clicking it and changing options. If you use Windows XP Home, please scroll farther into the page (23rd post in) for details on how to change permissions using the Command Prompt, which is a program in your Accessories Folder (look in the start menu).

Also, a reminder - download SmitRem. It's available here:

http://noahdfear.geekstogo.com/

If you want to give this a shot - Read the usage instructions here: http://www.bleepingcomputer.com/files/smitRem.php

I suggest you boot to safe mode when using this tool. Less chance of those files being in use ;)

I found that supposedly the Microsoft Malicious Software Removal tool is supposed to get rid of it also - this is normally downloaded here, I think:

http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fZlob

You may also try this removal tool:
http://www.gdata.pl/kmdownload/download.php?op=getit&id=61

Either way - good luck and keep me posted. I'm happy to help out.

I tried the malicious software removal tool when I was fighting this.. no good. Didnt find anything to fix. I did run Windows Defender though after getting rid of the codec folder. That seemed to find and remove alot of leftovers. Actually looks to have quarantined them, because ewido is finding them in the quarantine folders. Ewido hasnt found anything else so far besides some tracking cookies. (half way through at the moment)

Windows Defender is the same as Microsoft Antispyware, and I believe they have the same definitions as Malicious Software Removal tool built in, but not 100% positive on that.

I'm pretty sure I ran the malicious tool before defender. So evidently defender can find more.

yeah, i'm just trying to express that Defender is the way to go, using both is redundant (I think) - Defender has a ton of other definitions, including the ones from the malicious tool. Malicious tool is primarily for virus/trojan removal from what I gather, and updates come in for it automatically monthly via Windows Update.

Very good write up on permissions. I followed the directions 3X but did not find geeda or gedcd dll's . Remember I was in safe mode and deleted a lot of stuff so maybe they won't show for me .

AVG 7.5 finds zlob in system volume information . How do you get in there ?

AVG 7.5 keeps finding " not a virus " in win 32 .

Some of my files have 5 Group or user names in permissions .

administrator
J. Smith (me)
system
power users
users



Is that kosher ?


.

the DLL files will not have the same names. You will need to run SmitRem (google for this program, it's great and simple, no install required) and use it to generate a report to get the rogue file names (if you post the report, I can tell you the filenames).

Or, just watch after running a spyware cleaner and rebooting after - sort the contents of the system32 folder based on the date/timestamp and you will see certain DLL files renewing themselves - those are the ones you need to sh*tcan!

System Volume Info is your System Restore checkpoint area. You will need to turn OFF System Restore, then apply that change, then turn it ON again (be sure to turn it on!). This will flush the restore points.

As for "not a virus", can you get more info on the filename that is showing as infected? Also, is there more info on this "not a virus", like, a link to their website from inside the report?

As for the group and username permissions, yes, that is perfectly normal. Most files and folders will allow those groups and users to have permission to edit/alter/view/fully control them. Normally when viruses and spyware infect your system, they run at the "SYSTEM" level, so removing "System" from the permissions list and applying that change, then rebooting will stop anything from reading/executing that file as the "SYSTEM".

This is what I ment by " not a virus "

If you can't magnify with the windows picture and fax viewer I will get a larger pictures .

.

Ok. With what I see there, I would :

* Go into the Program Files/Hijackthis/Backups directory and delete anything in the lists you just posted in those screencaps or nuke the backups folder content entirely.
* Empty the AVG Antispy quarantine
* Turn system restore off, apply, then turn on again, apply.
* Re-scan with AVG antispy afterwards.
* If any trojan DLL's that show up in C:\Windows\System32\ need to have the permissions tweaked as explained in the post linked up above.
* You need to reboot afterwards, then remove the DLL files (delete), as stated in the post linked up above.
* If you deleted anything, you will need to turn off System Restore, apply, then turn it on again to flush the DLL files (Windows will back them up when you delete them, hence why you need to flush your restore points).

I would scan again afterwards and report back on anything you find.

As for Not-A-Virus.Hoax.Win32.Renos.fh, it's part of the "renos" spyware (search google for renos hoax to see some variants) and it's got "hoax" in the title because it gives you fake messages about being infected or insecure. It's a downloader trojan, also known as a SpySherrif or Spywad, possibly a SpyAxe variant.

Tough to get rid of, normally.