Log files for zlog virus causing pop-ups and fake spyware icons

[getdal]

Hi, I followed the instructions from another thread to get rid of a virus that was causing my PC to have popups including "Security Warning! Worm.win32.netsky detected on your machine ..." and "Windows has detected an internet attack attempt ...". The new icons that appeared on my desktop were "error cleaner", "spyware&malware protection" and "Privacy protector". Internet Explorer also launched itself several times.

I have followed the 15 steps found in another thread which included downloading several programs such as AVG Antispyware, SS&D, Combofix, CCleaner, Combofix, SmitfraudFix, and ending with running Hijackthis.

I was optimistic that I had successfully gotten rid of this virus, however, as I am typing this message, different but similar pop-ups came up and also launched internet explorer. One site that was launched was "mediasmegaportal.com". One popup is "Notice: your system is not optimized and your computer performance is not at the highest level." ... "would you like to install SystemErrorFixer to optimize your computer's performance now for free?"

I am attaching the log files for hijackthis (I initially accidentally ran hijack this under the original name and then again using the changed name 'Crusty'). I am also attaching the AVG Antispyware log and the Combofix log . I don't remember the exact wording on the Panda Antirootkit scan results, however, it indicated that no negative ones were found.

Also, my computer seems to be running slower after downloading, installing, and running all this software than it did before (don't know if the virus is just getting worse or if this is due to more programs running automatically in the background)

I am frustrated that after going through this time consuming process, the problem doesn't seem to be resolved and am anxious for any further help you might be able to provide. Thank you very much.

 

[momok]

Hi,

You have psted the wrong ComboFix file. You should post the ComboFix.txt log file instead.

Meanwhile, fix these entries in HijackThis and also post a new log from HijackThis.

O2 - BHO: SXG Advisor - {8D93C595-DA51-48D5-AB81-BD26953427A4} - C:\WINDOWS\dopfwrllwr.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: The egodktf - {8D911181-10AA-4B3E-BC7F-8D4AD359921B} - C:\WINDOWS\egodktf.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O21 - SSODL: aslpmqk - {8696DF7F-0328-4366-944C-6C034AD12D8C} - C:\WINDOWS\aslpmqk.dll
O21 - SSODL: bxsnvqt - {F9F187D1-D384-4E58-A70A-8000FFCC057F} - C:\WINDOWS\bxsnvqt.dll (file missing)


Regards,
momok

 

[getdal]

Thank you --here are the combofix and new hijackthis logs

Thank you for your prompt assistance--I don't know that it matters, but the Yahoo toolbar is something that recently was added (either through the virus or through the other recent software downloads---but I didn't add it intentionally).

Anyway, I look forward to hearing from you.

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
   O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
   O21 - SSODL: aslpmqk - {419ABA31-53D0-43B0-AA36-DBC4A381E167} - C:\WINDOWS\aslpmqk.dll
   Close HJT.
   
   
4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\aslpmqk.dll
   C:\WINDOWS\fknxwqf.exe
   C:\WINDOWS\dopfwrllwr.dll
   C:\WINDOWS\Temp\CTun.exe
   Registry::
   [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D93C595-DA51-48D5-AB81-BD26953427A4}]
   [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
   [-HKEY_CLASSES_ROOT\clsid\{8d911181-10aa-4b3e-bc7f-8d4ad359921b}]
   [-HKEY_CLASSES_ROOT\egodktf.ToolBar.1]
   [-HKEY_CLASSES_ROOT\TypeLib\{BE255065-0B7F-4664-97FF-5D673600A858}]
   [-HKEY_CLASSES_ROOT\egodktf.ToolBar]
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   aslpmqk=-
   bxsnvqt=-
   [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uninstall_CToolbar]

5. Save this as CFScript on the desktop.
6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
   
   
8. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of getdal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[getdal]

Thank you. Here are the requested log files:

...anxiously awaiting your reply. Thanx again.

 

[momok]

Hi,

Please download and run CCleaner via step 9 of the instructions HERE.

Your AVG log shows 'no action taken' for all items. Please run a scan again and change the default actions to "quarantine" for all. After performing the actions, save the report log and post it back here.

Also, your hijackthis log is from safe mode. I requested one from normal mode, so please post that in your next reply.


Regards,
momok =)

This thread is for the use of getdal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

 

[getdal]

Here ya go...

Ran CCleaner.

Am including the AVG log even though it still says no action taken. I DO have default set to quarantine under scan and what action to take. Why is it not automatically quarantining? Is there some other setting I need to check? I tried to find one, but couldn't. Also am including my hijackthis log. Thank you again.

 

[momok]

Hi,

No worries bout AVG. Those files are just a bunch of infected system restore points that we will fix in this final step.
Your other logs look clean now.

1. Please download and run CCleaner via step 9 of the instructions HERE.
   
   
2. Delete all the contents of C:\QooBox and AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
3. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
4. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of getdal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[techflame23]

I had this too and i fixed it by running smitfraudfix
i ran my computer in safe mode then i searched and cleaned and then restarted in normal mode. I then did somthing else which i cant remember what is called but is num 3 on the list (type 3 then hit enter)
This fixed my whole computer of this virus
I dont know if you have a new version of the virus or somthing that is resistant to smitfraudfix
but it worked for me and maybe if you tryed it again it would work for you.

 

[momok]

Note: The user's logs are already clean, and he does not appear to be facing any problems so far.