System Error! Zlob Trojan! $@&*

[Prettiful2u]

Hey!!!

My name is Felicia. I have been trying to remove this Zlob thingy off my computer for almost two days now!!! I would tell you all the things I have tried to do to remove this **CRAP** from my computer but I wont waste my time. Any help whatsoever is very much appreciated!!!

Exact error message [i have been lucky enough to not get any of the balloons and junk im am reading about in other forums]:

Anywho I went to the live chat thing and had the pleasure of speaking to Jeff!!!

He directed me to run the Highjackthis and post it thingy and **here i be**!!!

This is the log file!!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:32:09 PM, on 4/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

E:\WINDOWS\system32\bgsvcgen.exe

E:\WINDOWS\eHome\ehRecvr.exe

E:\WINDOWS\eHome\ehSched.exe

E:\Program Files\Common Files\Motive\McciCMService.exe

E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

e:\program files\common files\mcafee\mna\mcnasvc.exe

e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

E:\Program Files\McAfee\MPF\MPFSrv.exe

E:\Program Files\McAfee\MSK\MskSrver.exe

E:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe

E:\Program Files\SiteAdvisor\6253\SAService.exe

E:\WINDOWS\system32\svchost.exe

E:\Program Files\Viewpoint\Common\ViewpointService.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\system32\dllhost.exe

E:\WINDOWS\Explorer.EXE

e:\PROGRA~1\mcafee.com\agent\mcagent.exe

E:\Program Files\AIM\AIM Pro\aimpro.exe

E:\Program Files\SiteAdvisor\6253\SiteAdv.exe

E:\PROGRA~1\Grisoft\AVG7\avgcc.exe

E:\Program Files\uTorrent\uTorrent.exe

E:\Program Files\AIM6\aim6.exe

E:\WINDOWS\system32\ctfmon.exe

E:\Program Files\Microsoft ActiveSync\wcescomm.exe

E:\Program Files\Common Files\AOL\Loader\aolload.exe

E:\PROGRA~1\MI3AA1~1\rapimgr.exe

E:\PROGRA~1\Grisoft\AVG7\avgwb.dat

E:\Program Files\AIM6\aolsoftware.exe

E:\WINDOWS\system32\wuauclt.exe

E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

E:\PROGRA~1\Mozilla Firefox\firefox.exe

E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

F2 - REG:system.ini: Shell=

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - E:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - E:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - e:\PROGRA~1\mcafee\msk\mcapbho.dll

O2 - BHO: Media Codec - {547F4E57-9025-403B-B619-073854A60DA1} - E:\WINDOWS\kiasys.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - E:\Program Files\McAfee\VirusScan\scriptsn.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - E:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - E:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - E:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [AIMPro] "E:\Program Files\AIM\AIM Pro\aimpro.exe"

O4 - HKLM\..\Run: [siteAdvisor] E:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [mcagent_exe] E:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [uTorrent] "E:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [Aim6] "E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Startup: IMVU.lnk = E:\Program Files\IMVU\IMVUClient.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - E:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - E:\Documents and Settings\Travis Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CB35F58F-5FF3-4BD1-9B80-1C320903E012}: NameServer = 192.168.2.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{D9E8DF6F-4F31-4049-8AD0-002637E382CD}: NameServer = 10.0.0.1

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: McAfee Application Installer Cleanup (0224891207431470) (0224891207431470mcinstcleanup) - McAfee, Inc. - E:\WINDOWS\TEMP22489~1.EXE

O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - E:\WINDOWS\system32\bgsvcgen.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McciCMService - Motive Communications, Inc. - E:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - E:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - e:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - e:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - E:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - E:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - E:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: SiteAdvisor Service - Unknown owner - E:\Program Files\SiteAdvisor\6253\SAService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8273 bytes

Thanks again for all your help

**Muah**

Felicia *Prettiful2u*

[jwbirdsong]

Download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Also do the following

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

REBOOT

Next download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close any open browsers.
  
• If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  
• Leave all the setting to the default except as noted below
  • Check the box for Scan all user accounts
    
  • Under Additional Scans sections, check the following
    • Reg - BotCheck
      
    • File - Additional Folder Scan
      

  [*]Now click the Run Scan button on the toolbar.

  [*]The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.

  [*]When the scan is complete Notepad will open with the report file loaded in it.

  [*]Save that notepad file

If the log is too large to post, use the ADDREPLY button, scroll down to the attachments section and attach the notepad file here.

[Prettiful2u]

Hey thanks for all you help...the problem is gone.

Did you need me to still post those logs.

They dont seem to want to post right

Edited April 6, 2008 by Prettiful2u

[jwbirdsong]

If you can post the MBAM and then ATTACH the OtScanIt. It's to long to post.

[Prettiful2u]

Malwarebytes' Anti-Malware 1.10

Database version: 594

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 141451

Time elapsed: 53 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 7

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

E:\WINDOWS\kiasys.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{547f4e57-9025-403b-b619-073854a60da1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{547f4e57-9025-403b-b619-073854a60da1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{547f4e57-9025-403b-b619-073854a60da1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\kiasys.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\kiasys.video (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

E:\WINDOWS\kiasys.dll (Trojan.FakeAlert) -> Delete on reboot.

OTScanIt.Txt

[jwbirdsong]

About the only MAJOR issue left on your computer seems to be that you have 2 Anti Virus programs installed. (AVG and McAfee) While one is a MUST have, two can/will cause issues like slow down, errors, blue screenm and can actually be like having none installed at all. You should choose one and uninstall the other.

Start OtScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

 [Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\E:\Documents and Settings\Travis Hawkins\Desktop\hfs.exe -> E:\Documents and Settings\Travis Hawkins\Desktop\hfs.exe [E:\Documents and Settings\Travis Hawkins\Desktop\hfs.exe:*:Enabled:hfs]
[Files/Folders - Created Within 30 days]
NY -> SrchSTS.exe -> %SystemRoot%\System32\SrchSTS.exe
NY -> swreg.exe -> %SystemRoot%\System32\swreg.exe
NY -> swxcacls.exe -> %SystemRoot%\System32\swxcacls.exe
NY -> VACFix.exe -> %SystemRoot%\System32\VACFix.exe
NY -> VCCLSID.exe -> %SystemRoot%\System32\VCCLSID.exe
NY -> WS2Fix.exe -> %SystemRoot%\System32\WS2Fix.exe
NY -> 4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp
[Files/Folders - Modified Within 30 days]
NY -> 1 E:\WINDOWS\System32\*.tmp files -> E:\WINDOWS\System32\*.tmp
NY -> 4 E:\WINDOWS\*.tmp files -> E:\WINDOWS\*.tmp
NY -> catchme.exe -> E:\Documents and Settings\Travis Hawkins\Local Settings\Temp\Rar$EX03.687\OTScanIt\catchme.exe
NY -> catchme.exe -> E:\Documents and Settings\Travis Hawkins\Local Settings\Temp\Rar$EX17.234\OTScanIt\catchme.exe
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.

If it reboots this may not happen. If you need to manually find the file it is at Desktop\OTScanIt\MovedFiles4082008_163441.log or what ever yours is named(Date/Time you ran the fix)

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Click on the Start Scanning button at bottom of page.
  
• Accept the License Agreement and the ActiveX install.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report to your Desktop for later posting.
  

Please post

• OTscan it "results" log (described above)
  
• F-Secure log
  
• Fresh OtScanIt log made after F-secure
  

in your next reply here