trojan/virus/highjack problem

[Iceman]

Hie,
I'm on XP pro,use Norton antivirus 2006 and use IE for internet connection.

The problem is,a couple of days ago,my antivirus programme found
trojan.zlob.d on my laptop.however,it couldnt fully resolve it and said it
would quarantine it.
(The second last virus it found was trojan.spaxe but this was deleted so i
dont its the ccause of the problem.)

I've been having problems since, as my home page is been highjacked to
www.needupdate.com where it tells me my pc is under control of remote
computer 227.4.167.118 and that it is accessing Windows; Program
Files\Internet Explorer; My Documents and C:\ files.
It says i should click to download official anti-spyware software. (which i
havent done).

I have since run norton but it cant detect a virus now.
I've also tried avast,which didnt find anything.

I've tried deleting nvctrl.exe in Registry Editor,as i've seen on norton
website that related viruses of zlob.d ;i.e. versions e, f and g create this
value in the registry to run everytime i start IE.
I delete this value but as soon as come back i find it there again.
I've even tried deleting it with my computer in Safe mode but it reappears
soon as i start the internet (in normal mode).

There is wininet.dll in the same part of registry but i dont know if its
safe or not?

I read also that the trojan.zlob creates or copies a file called
mssearchnet.exe i think.i searched my pc and i DO have this file/folder but
dont know if its safe to delete or not?

I eventually turned to microsoft's Microsoft did find 3 viruses and 7 files
infected;it resolved 6 of the files but the 7th wasnt and i still have 1
virus according to microsoft;which is JS/loop i thnk.

i am having a terrible xmas bcoz of this problem and if someone can cheer me
up with a solution it would be very appreciated.

i am not techy so plz put things in 1,2,3 steps!

Sorry for long question but was trying to be as specific as possible.

Thanx in advance...

Since your long question calls for a long answer, I will simply refer you
to this thread:
http://groups.google.com/group/micr...&q=www.needupdate.com&rnum=2#c748c27fb6239635

Your shorter link is: http://tinyurl.com/c2456

 

[Guest]

Hie,
I'm on XP pro,use Norton antivirus 2006 and use IE for internet connection.

The problem is,a couple of days ago,my antivirus programme found
trojan.zlob.d on my laptop.however,it couldnt fully resolve it and said it
would quarantine it.
(The second last virus it found was trojan.spaxe but this was deleted so i
dont its the ccause of the problem.)

I've been having problems since, as my home page is been highjacked to
www.needupdate.com where it tells me my pc is under control of remote
computer 227.4.167.118 and that it is accessing Windows; Program
Files\Internet Explorer; My Documents and C:\ files.
It says i should click to download official anti-spyware software. (which i
havent done).

I have since run norton but it cant detect a virus now.
I've also tried avast,which didnt find anything.

I've tried deleting nvctrl.exe in Registry Editor,as i've seen on norton
website that related viruses of zlob.d ;i.e. versions e, f and g create this
value in the registry to run everytime i start IE.
I delete this value but as soon as come back i find it there again.
I've even tried deleting it with my computer in Safe mode but it reappears
soon as i start the internet (in normal mode).

There is wininet.dll in the same part of registry but i dont know if its
safe or not?

I read also that the trojan.zlob creates or copies a file called
mssearchnet.exe i think.i searched my pc and i DO have this file/folder but
dont know if its safe to delete or not?

I eventually turned to microsoft's Microsoft did find 3 viruses and 7 files
infected;it resolved 6 of the files but the 7th wasnt and i still have 1
virus according to microsoft;which is JS/loop i thnk.

i am having a terrible xmas bcoz of this problem and if someone can cheer me
up with a solution it would be very appreciated.

i am not techy so plz put things in 1,2,3 steps!

Sorry for long question but was trying to be as specific as possible.

Thanx in advance...

 

[David H. Lipman]

From: "far22" <[email protected]>

| Hie,
| I'm on XP pro,use Norton antivirus 2006 and use IE for internet connection.
|
| The problem is,a couple of days ago,my antivirus programme found
| trojan.zlob.d on my laptop.however,it couldnt fully resolve it and said it
| would quarantine it.
| (The second last virus it found was trojan.spaxe but this was deleted so i
| dont its the ccause of the problem.)
|
| I've been having problems since, as my home page is been highjacked to
| www.needupdate.com where it tells me my pc is under control of remote
| computer 227.4.167.118 and that it is accessing Windows; Program
| Files\Internet Explorer; My Documents and C:\ files.
| It says i should click to download official anti-spyware software. (which i
| havent done).
|
| I have since run norton but it cant detect a virus now.
| I've also tried avast,which didnt find anything.
|
| I've tried deleting nvctrl.exe in Registry Editor,as i've seen on norton
| website that related viruses of zlob.d ;i.e. versions e, f and g create this
| value in the registry to run everytime i start IE.
| I delete this value but as soon as come back i find it there again.
| I've even tried deleting it with my computer in Safe mode but it reappears
| soon as i start the internet (in normal mode).
|
| There is wininet.dll in the same part of registry but i dont know if its
| safe or not?
|
| I read also that the trojan.zlob creates or copies a file called
| mssearchnet.exe i think.i searched my pc and i DO have this file/folder but
| dont know if its safe to delete or not?
|
| I eventually turned to microsoft's Microsoft did find 3 viruses and 7 files
| infected;it resolved 6 of the files but the 7th wasnt and i still have 1
| virus according to microsoft;which is JS/loop i thnk.
|
| i am having a terrible xmas bcoz of this problem and if someone can cheer me
| up with a solution it would be very appreciated.
|
| i am not techy so plz put things in 1,2,3 steps!
|
| Sorry for long question but was trying to be as specific as possible.
|
| Thanx in advance...

Two part reply..

Perform Part 1 and then perform Part 2.

Use the alternate if the first two parts are ineffective...
Note: Alternate only for Win2K, WinXP and Win2003 Server

Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

Alternate:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[Guest]

you guys are the best!!!!!!!!!!!!!!!!!

its not being hijacked anymore!!

however, i still do have a blank blue background and the tool bar on the
bottom is white and it basically sort of looks likes the one in Safe mode

Shoul i be worried???

How can i reset to normal settings!?

ONC AGAIN THANX VERY MUCH!!YOU'VE MADE MY CHRISTMAS MERRY!!!

and do i need to run the mcafee more often!?

 

[David H. Lipman]

From: "far22" <[email protected]>

| you guys are the best!!!!!!!!!!!!!!!!!
|
| its not being hijacked anymore!!
|
| however, i still do have a blank blue background and the tool bar on the
| bottom is white and it basically sort of looks likes the one in Safe mode
|
| Shoul i be worried???
|
| How can i reset to normal settings!?
|
| ONC AGAIN THANX VERY MUCH!!YOU'VE MADE MY CHRISTMAS MERRY!!!
|
| and do i need to run the mcafee more often!?
|


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

You should just be able to change the background picture and colour by right clicking on the
DeskTop and choosing "Properties".

The WinFixerFix is a specific tool for the type of malware you had. Once the malware is
removed you can delete the c:\mcafee folder (that is after you post the contents of the HTML
log file).

For a AV scans on a regular basis I have another tool that includes McAfee as well as Trend
Micro, Sophos and Kaspersky scanners.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Guest]

Virus Scan Report File



Virus Scan Information


McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks
Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4658 created Dec 23 2005
Scanning for 167703 viruses, trojans and variants.



Virus Scan Results


12/25/2005 17:41:09


Options:
/ADL
/UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL /PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\Program Files\Internet
Explorer\BTopenworld SignUp\btwebcontrol.dll ... Found potentially unwanted program Generic PUP.a.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 284425
Clean: ................. 284374
Possibly Infected: ..... 0
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 01:22.06



Visit the McAfee Online Web Site
Need some help or advice? Send email to Technical Support.

Think this was all the log.

So what about getting the taskbar on the bottom to the normal blue colour??

From: "far22" <[email protected]>

| you guys are the best!!!!!!!!!!!!!!!!!
|
| its not being hijacked anymore!!
|
| however, i still do have a blank blue background and the tool bar on the
| bottom is white and it basically sort of looks likes the one in Safe mode
|
| Shoul i be worried???
|
| How can i reset to normal settings!?
|
| ONC AGAIN THANX VERY MUCH!!YOU'VE MADE MY CHRISTMAS MERRY!!!
|
| and do i need to run the mcafee more often!?
|


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

You should just be able to change the background picture and colour by right clicking on the
DeskTop and choosing "Properties".

The WinFixerFix is a specific tool for the type of malware you had. Once the malware is
removed you can delete the c:\mcafee folder (that is after you post the contents of the HTML
log file).

For a AV scans on a regular basis I have another tool that includes McAfee as well as Trend
Micro, Sophos and Kaspersky scanners.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "far22" <[email protected]>

| Virus Scan Report File
|

< log snipped >

Nice clean report ! Was that the initial Normal Mode scan or a subsequent Safe Mode scan
result ?

 

[Guest]

Scan in Safe mode didnt start bcoz it said some files were missing i think.
Eventually scanned in Normal,and i think IE was running at the time.

Internet seems to be working ok;tho i think a tad bit slower!

Is switching to Mcafee from Norton the way forward!?

 

[David H. Lipman]

From: "far22" <[email protected]>

| Scan in Safe mode didnt start bcoz it said some files were missing i think.
| Eventually scanned in Normal,and i think IE was running at the time.
|
| Internet seems to be working ok;tho i think a tad bit slower!
|
| Is switching to Mcafee from Norton the way forward!?
|

Neither the retail McAfee or Norton (Norton AV is Retail, and Symantec AV is corporate) will
make you happy.

Kaspersky and NOD32 in that order are my suggested AV softwares.