Help w/ Trojans -- Vundo & Downloader.Zlob

By ohanatribe
Apr 3, 2009
  1. I loaned my laptop to a friend for a few days. Afterwards it wasn't running right and before long I got all sorts of popups, virus alerts, and other quirky things going on. I started working on it a few days ago but it's giving me a good fight.

    When I first started I couldn't even access the internet, now that's fixed.
    McAfee was completely disabled -- the resident protection was off and would not turn on, it would not scan or update either. I removed it completely and replaced it with the free version of AVG 8.

    I have followed the 8 steps, with the exception of running HijackThis. I have used this program successfully in the past but not since this infection occurred because I read that some versions of Vundo (Virtumonde) will cause a complete system crash if you go into Safe Mode after running HijackThis... since I am not sure that Vundo has been completely removed yet and since I am switching in and out of Safe Mode, I am concerned about using HijackThis. Any suggestions?

    In the course of the past three days, various tools have said that I'm infected with: InternetGameBox, Vundo, Downloader, Downloader.Zlob, spoolsv.exe, several "unclassified" trojans, FakeAlert, Generic12, a CoolWeb variant, and HackTool.

    What I've already done:

    * AVG -- two full scans. Finds stuff but doesn't fix it (log below).

    * Sophos AntiRootkit -- found stuff but I don't know what good it did. It has a very simple interface and I can't find any evidence of a log that I could post here.

    * SmitfraudFix -- I've run this several times per the instructions (performing the cleaning step in safe mode) and it appears to always find something but I can't tell what, if anything, that it's actually helping to eliminate

    * VundoFix -- identified several items then nothing on the 2nd or 3rd scan, but vundo has appeared in other scan tools used since

    * CWShredder -- found one item originally, nothing in subsequent scans

    * CCleaner -- ran it several times, it now comes back with a clean analysis

    * Malwarebytes -- ran full scan 3 times, in both normal and safe mode. It found a bunch of things the 1st time but nothing since

    * SUPERAntiSpyware -- found several items the first scan, a few more the second scan, nothing since

    Continuing Issues:

    AVG gives me popup warnings every few minutes about an infection of downloader.Zlob in C:\windows\system32\mswsock32.dll -- clicking "heal" or "move to vault" does nothing, it just pops up again later. Running a full, updated scan on AVG hasn't helped. It finds things but it's clearly not fixing them.

    I am having a major problem with Firefox -- clicking on links or buttons doesn't work, even after a reinstall. Also, my desktop background and start page on IE have changed several times.

    Spybot isn't working. I have ran this several times but after the scan is complete it locks up and won't proceed to the "fix" screen. I end up having to reboot. I've tried reinstalling, updating, and running in normal and safe mode with the same results.

    I can't disable my network connection. It says "It is not possible to disable the connection at this time". I've tried repairing the connection, flashing the registry settings, and manipulating the administrator privileges but nothing has fixed this.

    The computer is running very slow and at times it seems like the harddrive is being accessed constantly although I cannot find anything running.

    ***I'm not sure what logs to post because everything is coming back clean, with the exception of AVG.***

    Results of the latest AVG scan, 3 entries:

    - - - - -
    File: C:\windows\system32\mswsock32.dll
    Infection: Trojan Horse Downloader.Zlob_r.EQ
    Result: Infected

    File: C:\windows\system32\mswsock32.dll
    Infection: Trojan Horse Downloader.Zlob_r.EQ
    Result: Moved to Virus Vault

    File: C:\windows\system32\svchost.exe (1224)
    Infection: Trojan Horse Downloader.Zlob_r.EQ
    Result: Reboot is required to finish the action
    - - - - -

    Of course I rebooted but when Windows loaded I immediately got another popup from AVG about a downloader.zlob infection.

    Any help would be gratefully appreciated!
  2. ohanatribe

    ohanatribe TS Rookie Topic Starter

    Progress, maybe?

    I decided to run HijackThis anyway despite my concerns. The first log file is attached. I selected several things to fix and it popped up a message saying that it could not fix 010 (the mswsock32.dll) and to try LSPFix. I downloaded this, ran it and chose to remove the offending dll.

    I ran HJT again and the msmsock32 entry is gone now (second log attached) and I am no longer getting the AVG popups warning me about infections. Am I clear?

    For good measure, I'm going to run Adaware and will post the results of that. I'm also going to see if Spybot will work now.

    **EDITED to add:
    Not an hour later and AVG is once again reported an infected mswsock32.dll -- I am running most of the tools again and will post logs if anything shows up. If someone could look at my hijackthis logs and offer advice in the meantime, I'd much appreciate it. Thanks!
  3. ohanatribe

    ohanatribe TS Rookie Topic Starter

    Ran smitfraud, combofix and then HJT again. Logs attached.
  4. gguerra

    gguerra TS Maniac Posts: 317

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...