Zlob Trojan - Newbie on group - Help please!

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Sorry if this was dealt with recently but this is my first look at
this group.

Running WIn2000 on an Althlon 2000+
Free ZoneAlarm and AVG *Pro*

First symptom - ZoneAlarm squeeked about dfrgsrv.exe trying to go out
on the internet.
What's dfrgsvr I wondered - "svr" sounds dangerous (Defrag Server?)
I denied the access.
I found the file dfrgsvr.exe sitting in C:\WINNT\system32.
Ran Micro$oft  AntiSpyware Beta 1 - it found Zlob indicated by a
Registry key  
      . .\Explorer\Run   wininet.dll  triggering (guess what?)
dfrgsvr.exe at startup.
This matches Micro$oft's notes about Zlob on their site.

No problem I thought - just let AntiSpy remove the key.
Too easy - in fact every attempt at even manually removing it fails -
it seems to be 'self-repairing'
The dfrgsvr.exe cannot be renamed or deleted - sharing violation -
presumable because it's running.
A request to AntiSpy to 'block' this item at start up is apparently
accepted and it shows an entry in its list as "blocked" but another
'live' entry reappears!

Running the latest Micro$oft Malware Removal Tool does *not* find it.

Run out of ideas!

Anybody killed this successfully?


Re: Zlob Trojan - Newbie on group - Help please!


| Sorry if this was dealt with recently but this is my first look at
| this group.
|
| Running WIn2000 on an Althlon 2000+
| Free ZoneAlarm and AVG *Pro*
|
| First symptom - ZoneAlarm squeeked about dfrgsrv.exe trying to go out
| on the internet.
| What's dfrgsvr I wondered - "svr" sounds dangerous (Defrag Server?)
| I denied the access.
| I found the file dfrgsvr.exe sitting in C:\WINNT\system32.
| Ran Micro$oft  AntiSpyware Beta 1 - it found Zlob indicated by a
| Registry key
|       . .\Explorer\Run   wininet.dll  triggering (guess what?)
| dfrgsvr.exe at startup.
| This matches Micro$oft's notes about Zlob on their site.
|
| No problem I thought - just let AntiSpy remove the key.
| Too easy - in fact every attempt at even manually removing it fails -
| it seems to be 'self-repairing'
| The dfrgsvr.exe cannot be renamed or deleted - sharing violation -
| presumable because it's running.
| A request to AntiSpy to 'block' this item at start up is apparently
| accepted and it shows an entry in its list as "blocked" but another
| 'live' entry reappears!
|
| Running the latest Micro$oft Malware Removal Tool does *not* find it.
|
| Run out of ideas!
|
| Anybody killed this successfully?



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0.  There are vulnerabilities in them and they are actively being
exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool --
SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute;  SmitFraud.exe  { Note: You must accept the default of C:\McAfee }
Choose;   Unzip
Choose;   Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute;  c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated.  At the end of the scan, it
will be
displayed in your browser (Opera, FireFox or Internet Explorer).  However, if
you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have
to manually
shutdown/reboot the PC.  On Win9x/ME platforms the report will not be shown in
your bowser
but your PC will automatically be shutdown.  It is suggested that you move the
report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of
the HTML
report for each session.


ALTERNATE:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072




Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML  in your reply.

* * *  Please report back your results  * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Zlob Trojan - Newbie on group - Help please!

Many thanks for your comprehensive reply.
I will not have a chance to execute it till tomorrow.

I hope I'm right in thinking  that, as long as ZoneAlarm blocks it
going out, it can't do any real harm.

On Thu, 13 Apr 2006 16:45:25 GMT, "David H. Lipman"

Quoted text here. Click to load it


Re: Zlob Trojan - Newbie on group - Help please!


| Many thanks for your comprehensive reply.
| I will not have a chance to execute it till tomorrow.
|
| I hope I'm right in thinking  that, as long as ZoneAlarm blocks it
| going out, it can't do any real harm.
|

It depends on your definition but the FireWall is blocking any aspects of
sending data
"home" or to 3rd parties.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Zlob Trojan - Newbie on group - Help please!

I've had a go . .

Ghosted the partition onto another drive (I use removable caddies) and
tinkered with the copy.

Tried SmitRem.exe  didn't seem to do any good.
Started Disc clean up but got impatient.

What the hell! - it's only a copy - Ran up in Safe mode - *deleted*
dfrgsrv.exe.
Ran up MS AntiSpyware - asked it to delete the 'Run' Registry entry -
it did!
Checked again with Regedit - yes it had gone.

Ran up again in Normal mode - seems OK.

Only negative impact so far is my Desktop icons are nicely arranged in
the  top right hand corner of screen - I can live with that.

Am I kidding myself?
Is it really much more complicated than that?

I will be keeping a careful eye on each re-boot in future (not very
often - stays on for weeks)

Many thanks David for your quick response and effort you put in to
help me - much appreciated.

Now to fix the *real* disk . .




On Thu, 13 Apr 2006 18:04:37 GMT, "David H. Lipman"

Quoted text here. Click to load it


Re: Zlob Trojan - Newbie on group - Help please!

More info - I've been trying to figure out  how I got this malware -
realised that the only thing that I had added knowingly recently was
this . .

http://www.media-codec.com/v4/mediacodec-v4.143.exe

I found the path still in the recently accessed (dropdown list in IE)

I still had the actual EXE (I always save them)

I executed this again (on my copy system) and, lo and behold, it set
up the Registry key and put back dfrgsrv.exe again!

AVG didn't notice it originally - nor even when I asked it to
specifically scan the codec EXE.

I am wondering about my previously stated faith in the power of
ZoneAlarm.
Would the malware have tried to phone home in the guise of Explorer
since the Reg Key was associated with that? If so, I might have
allowed it!



On Fri, 14 Apr 2006 09:07:27 GMT, pOTRice

Quoted text here. Click to load it


Re: Zlob Trojan - Newbie on group - Help please!


| More info - I've been trying to figure out  how I got this malware -
| realised that the only thing that I had added knowingly recently was
| this . .

| http://www.media-codec.com/v4/mediacodec-v4.143.exe

| I found the path still in the recently accessed (dropdown list in IE)

| I still had the actual EXE (I always save them)

| I executed this again (on my copy system) and, lo and behold, it set
| up the Registry key and put back dfrgsrv.exe again!

| AVG didn't notice it originally - nor even when I asked it to
| specifically scan the codec EXE.

| I am wondering about my previously stated faith in the power of
| ZoneAlarm.
| Would the malware have tried to phone home in the guise of Explorer
| since the Reg Key was associated with that? If so, I might have
| allowed it!


Yes, these utilities need to clean the LIVE PC to access both the disk files and
the Registry of the affected OS.

What you posted, "mediacodec-v4.143.exe", was another in a series new variants of
the Zlob Trojan.
Kaspersky 4.0.2.24 04.14.2006 Trojan-Downloader.Win32.Zlob.li

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Zlob Trojan - Newbie on group - Help please!


| More info - I've been trying to figure out  how I got this malware -
| realised that the only thing that I had added knowingly recently was
| this . .

< snip >

BTW:  In the future please obfuscate the URL of a malicious web site such that
newbies will not click on the URL and get infected.

For Example;  hxxp://www.media-codec.com/v4/mediacodec-v4.143.exe


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Zlob Trojan - Newbie on group - Help please!

Sorry to be a pain - I found your comment about "LIVE pc" a bit
ambiguous . .

Have I done all that is needed to rid my PC of Zlob (removing Reg
entry and the EXE it triggers) or do I still need to run the
procedures you recommended?

Thanks for your tip about obfuscating the URL - I'm so paranoid about
my own safety I forgot about the danger I might cause to others.


On Fri, 14 Apr 2006 11:22:47 GMT, "David H. Lipman"

Quoted text here. Click to load it


Re: Zlob Trojan - Newbie on group - Help please!


| Sorry to be a pain - I found your comment about "LIVE pc" a bit
| ambiguous . .
|
| Have I done all that is needed to rid my PC of Zlob (removing Reg
| entry and the EXE it triggers) or do I still need to run the
| procedures you recommended?
|
| Thanks for your tip about obfuscating the URL - I'm so paranoid about
| my own safety I forgot about the danger I might cause to others.
|

What I mean by a live PC is booting ther affected PC and then running the
utilities on that
PC.
Basically, running the PC "live".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Zlob Trojan - Newbie on group - Help please!

I have now carried out the procedures you recommended and here is the
report . .

Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832  LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4741 created Apr 14 2006
Scanning for 186744 viruses, trojans and variants.

--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------

04/14/2006  23:30:59

Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML
C:\MCAFEE\NORMAL_SCANREPORT.HTML

Scanning C: [Main]
Scanning C:\*.*
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\LeakTest.exe ... Found potentially unwanted program
LeakTest.
        The file or process has been deleted.
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\xpkeys.zip\KEYFIND.EXE\OFFICEKEY.EXE ... Found potentially
unwanted program Generic PUP.a.
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\zerocmos.zip\KILLCMOS.COM ... Found the KillCMOS.a trojan
!!!
C:\Documents and Settings\Administrator\My Documents\Installers\USB
under DOS\zerocmos.zip\DUMPCMOS.COM ... Found potentially unwanted
program KillCMOS.h.

Summary report on C:\*.*
File(s)
        Total files: ...........   55422
        Clean: .................   55151
        Possibly Infected: .....       1
        Cleaned: ...............       0
        Deleted: ...............       1
Non-critical Error(s):                 2
Master Boot Record(s): .........       1
        Possibly Infected: .....       0
Boot Sector(s): ................       1
        Possibly Infected: .....       0
Scanning D: [BACKUP]
Scanning D:\*.*
D:0205_256A\LeakTest.exe ... Found potentially unwanted program
LeakTest.
        The file or process has been deleted.

Summary report on D:\*.*
File(s)
        Total files: ...........    4544
        Clean: .................    4538
        Possibly Infected: .....       0
        Cleaned: ...............       0
        Deleted: ...............       1
Non-critical Error(s):                 1
Master Boot Record(s): .........       1
        Possibly Infected: .....       0
Boot Sector(s): ................       1
        Possibly Infected: .....       0


Time: 00:31.49

I was disappointed that this did not result in the deletion of the
offending EXE - dfrgsrv. However, it did get rid of the Registry key.

I noticed that it deleted LeakTest which I would have thought should
have been recognised as the well known firewall test program from
the "Shields Up" site.

Is this another example of rivalry between the various Anti-Virus tool
writers?  I remember that Norton insisted that my AVG Pro-protected PC
had no existing virus protection!

Anyway - panic over - many thanks for all your help - I'll be more
carefull next time.  It's almost got to the point where you need a
'clone' PC to experiment with before risking the security of  your
'real' PC.

pOTRice

On Fri, 14 Apr 2006 12:24:17 GMT, "David H. Lipman"

Quoted text here. Click to load it


Re: Zlob Trojan - Newbie on group - Help please!

<pOTRice> typed:
Quoted text here. Click to load it
--------------------------------------------------------------------------------
<snip>
Quoted text here. Click to load it
<snip>

Quoted text here. Click to load it

 pOTRice, this was discussed a lot over on the news.grc.com newsserver in
grc.leaktest a while back.
I believe Steve Gibson was going to release an updated version of Leaktest
to prevent this situation.

Quoted text here. Click to load it

--
See CoU at least weekly:
http://www.dozleng.com/updates/index.php?&act=calendar
I support the right to arm bears


Re: Zlob Trojan - Newbie on group - Help please!


| I have now carried out the procedures you recommended and here is the
| report . .
|
| Virus Scan Report File
|
|
--------------------------------------------------------------------------------
| Virus Scan Information

< snip >

|
| I was disappointed that this did not result in the deletion of the
| offending EXE - dfrgsrv. However, it did get rid of the Registry key.
|
| I noticed that it deleted LeakTest which I would have thought should
| have been recognised as the well known firewall test program from
| the "Shields Up" site.
|
| Is this another example of rivalry between the various Anti-Virus tool
| writers?  I remember that Norton insisted that my AVG Pro-protected PC
| had no existing virus protection!
|
| Anyway - panic over - many thanks for all your help - I'll be more
| carefull next time.  It's almost got to the point where you need a
| 'clone' PC to experiment with before risking the security of  your
| 'real' PC.
|
| pOTRice
|


The important think is if you are still infected with the ZLob Trojan and its
friends and
famility components ?

As for the LeakTest utility...  The McAfee AV scanner is set to a very
aggressive scanning
mode to catch not only known viruses and Trojans but to catch non-viral malware
and
"potentially
unwanted program" which could be adware/spyware or could be tools that can be
used in a
malicious way.  Some malware use legitimate tools to do malicious actions.  It
is best to
scan a remove malware and those that are not malware but can be used in a
malicious way.
This way you can know that you are "clean".

As for the "clone" cocept, yes, that's a good idea.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline