Zlob Trojan - Newbie on group - Help please!
in [Anti-Virus]
|
From: pOTRice on 13 Apr 2006 11:55 Sorry if this was dealt with recently but this is my first look at this group. Running WIn2000 on an Althlon 2000+ Free ZoneAlarm and AVG *Pro* First symptom - ZoneAlarm squeeked about dfrgsrv.exe trying to go out on the internet. What's dfrgsvr I wondered - "svr" sounds dangerous (Defrag Server?) I denied the access. I found the file dfrgsvr.exe sitting in C:\WINNT\system32. Ran Micro$oft AntiSpyware Beta 1 - it found Zlob indicated by a Registry key . .\Explorer\Run wininet.dll triggering (guess what?) dfrgsvr.exe at startup. This matches Micro$oft's notes about Zlob on their site. No problem I thought - just let AntiSpy remove the key. Too easy - in fact every attempt at even manually removing it fails - it seems to be 'self-repairing' The dfrgsvr.exe cannot be renamed or deleted - sharing violation - presumable because it's running. A request to AntiSpy to 'block' this item at start up is apparently accepted and it shows an entry in its list as "blocked" but another 'live' entry reappears! Running the latest Micro$oft Malware Removal Tool does *not* find it. Run out of ideas! Anybody killed this successfully?
From: David H. Lipman on 13 Apr 2006 12:45 From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> | Sorry if this was dealt with recently but this is my first look at | this group. | | Running WIn2000 on an Althlon 2000+ | Free ZoneAlarm and AVG *Pro* | | First symptom - ZoneAlarm squeeked about dfrgsrv.exe trying to go out | on the internet. | What's dfrgsvr I wondered - "svr" sounds dangerous (Defrag Server?) | I denied the access. | I found the file dfrgsvr.exe sitting in C:\WINNT\system32. | Ran Micro$oft AntiSpyware Beta 1 - it found Zlob indicated by a | Registry key | . .\Explorer\Run wininet.dll triggering (guess what?) | dfrgsvr.exe at startup. | This matches Micro$oft's notes about Zlob on their site. | | No problem I thought - just let AntiSpy remove the key. | Too easy - in fact every attempt at even manually removing it fails - | it seems to be 'self-repairing' | The dfrgsvr.exe cannot be renamed or deleted - sharing violation - | presumable because it's running. | A request to AntiSpy to 'block' this item at start up is apparently | accepted and it shows an entry in its list as "blocked" but another | 'live' entry reappears! | | Running the latest Micro$oft Malware Removal Tool does *not* find it. | | Run out of ideas! | | Anybody killed this successfully? Two part reply.. Perform Part 1 then perform Part 2. If the first two parts don't work, perform the alternate utility. It is suggested that you execute each tool in Normal Mode then in Safe Mode. If you are using any version of Sun Java that is prior to JRE Version 5.0, then you are strongly urged to remove any/all versions that are prior to JRE Version 5.0. There are vulnerabilities in them and they are actively being exploited. Therefore, it is highly suggested that if there are any prior versions of Sun Java to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6 be installed ASAP. http://www.java.com/en/download/manual.jsp Part 1 ----------- Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe http://noahdfear.geekstogo.com/click%20counter/click.php?id=1 http://www.bleepingcomputer.com/forums/topic43659.html Part 2 ----------- Download SmitFraud.exe from the URL -- http://www.ik-cs.com/programs/virtools/SmitFraud.exe Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee } Choose; Unzip Choose; Close NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your FireWall to enable WGET.EXE to download the needed McAfee related files. Execute; c:\mcafee\clean.bat { or Double-click on 'Clean Link' in c:\mcafee } A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser but your PC will automatically be shutdown. It is suggested that you move the report out of c:\mcafee before performing another scan. It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML report for each session. ALTERNATE: Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool. http://secured2k.home.comcast.net/tools/AntiPuper.exe http://forums.mcafeehelp.com/viewtopic.php?t=65072 Please Copy and Paste the contents of the HTML Log files; C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply. * * * Please report back your results * * * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: pOTRice on 13 Apr 2006 14:02 Many thanks for your comprehensive reply. I will not have a chance to execute it till tomorrow. I hope I'm right in thinking that, as long as ZoneAlarm blocks it going out, it can't do any real harm. On Thu, 13 Apr 2006 16:45:25 GMT, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> > >| Sorry if this was dealt with recently but this is my first look at >| this group. >| >| Running WIn2000 on an Althlon 2000+ >| Free ZoneAlarm and AVG *Pro* >| >| First symptom - ZoneAlarm squeeked about dfrgsrv.exe trying to go out >| on the internet. >| What's dfrgsvr I wondered - "svr" sounds dangerous (Defrag Server?) >| I denied the access. >| I found the file dfrgsvr.exe sitting in C:\WINNT\system32. >| Ran Micro$oft AntiSpyware Beta 1 - it found Zlob indicated by a >| Registry key >| . .\Explorer\Run wininet.dll triggering (guess what?) >| dfrgsvr.exe at startup. >| This matches Micro$oft's notes about Zlob on their site. >| >| No problem I thought - just let AntiSpy remove the key. >| Too easy - in fact every attempt at even manually removing it fails - >| it seems to be 'self-repairing' >| The dfrgsvr.exe cannot be renamed or deleted - sharing violation - >| presumable because it's running. >| A request to AntiSpy to 'block' this item at start up is apparently >| accepted and it shows an entry in its list as "blocked" but another >| 'live' entry reappears! >| >| Running the latest Micro$oft Malware Removal Tool does *not* find it. >| >| Run out of ideas! >| >| Anybody killed this successfully? > > > >Two part reply.. > >Perform Part 1 then perform Part 2. > >If the first two parts don't work, perform the alternate utility. > >It is suggested that you execute each tool in Normal Mode then in Safe Mode. > >If you are using any version of Sun Java that is prior to JRE Version 5.0, >then you are strongly urged to remove any/all versions that are prior to JRE >Version 5.0. There are vulnerabilities in them and they are actively being exploited. > >Therefore, it is highly suggested that if there are any prior versions of Sun Java >to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6 >be installed ASAP. > >http://www.java.com/en/download/manual.jsp > > > >Part 1 >----------- > >Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe >http://noahdfear.geekstogo.com/click%20counter/click.php?id=1 > >http://www.bleepingcomputer.com/forums/topic43659.html > > >Part 2 >----------- > >Download SmitFraud.exe from the URL -- >http://www.ik-cs.com/programs/virtools/SmitFraud.exe > >Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee } >Choose; Unzip >Choose; Close > >NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your >FireWall to enable WGET.EXE to download the needed McAfee related files. > >Execute; c:\mcafee\clean.bat >{ or Double-click on 'Clean Link' in c:\mcafee } > >A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or >C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be >displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using >WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually >shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser >but your PC will automatically be shutdown. It is suggested that you move the report out of >c:\mcafee before performing another scan. > >It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML >report for each session. > > >ALTERNATE: > >Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool. > >http://secured2k.home.comcast.net/tools/AntiPuper.exe > >http://forums.mcafeehelp.com/viewtopic.php?t=65072 > > > > >Please Copy and Paste the contents of the HTML Log files; >C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply. > >* * * Please report back your results * * *
From: David H. Lipman on 13 Apr 2006 14:04 From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> | Many thanks for your comprehensive reply. | I will not have a chance to execute it till tomorrow. | | I hope I'm right in thinking that, as long as ZoneAlarm blocks it | going out, it can't do any real harm. | It depends on your definition but the FireWall is blocking any aspects of sending data "home" or to 3rd parties. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: pOTRice on 14 Apr 2006 05:07 I've had a go . . Ghosted the partition onto another drive (I use removable caddies) and tinkered with the copy. Tried SmitRem.exe didn't seem to do any good. Started Disc clean up but got impatient. What the hell! - it's only a copy - Ran up in Safe mode - *deleted* dfrgsrv.exe. Ran up MS AntiSpyware - asked it to delete the 'Run' Registry entry - it did! Checked again with Regedit - yes it had gone. Ran up again in Normal mode - seems OK. Only negative impact so far is my Desktop icons are nicely arranged in the top right hand corner of screen - I can live with that. Am I kidding myself? Is it really much more complicated than that? I will be keeping a careful eye on each re-boot in future (not very often - stays on for weeks) Many thanks David for your quick response and effort you put in to help me - much appreciated. Now to fix the *real* disk . . On Thu, 13 Apr 2006 18:04:37 GMT, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >From: "pOTRice" <potriceReMoVe(a)tHiSboltblue.com> > >| Many thanks for your comprehensive reply. >| I will not have a chance to execute it till tomorrow. >| >| I hope I'm right in thinking that, as long as ZoneAlarm blocks it >| going out, it can't do any real harm. >| > >It depends on your definition but the FireWall is blocking any aspects of sending data >"home" or to 3rd parties.
|
Next
|
Last
Pages: 1 2 3 4 Prev: AVG Uninstall/Install Problem Next: What is this, (TR/Dldr.small.cml.7) |