Solved

Critical System Warning: Trojan.Zlob-X

Posted on 2007-12-01
8
2,478 Views
Last Modified: 2013-11-22
One of my users is experiencing this pop-up message constantly while using her computer. I have noticed it as well. She is running Windows Vista Home Basic. She has antivirus installed and updated. I ran AVG antivirus, antispyware, and windows defender all multiple times. I removed whatever entries were found, but nothing seemed relevant to this error that the user is getting: "Critical System Warning ! - Your system is probably infected with latest version of Trojan. Zlob-X.a full system optimization will generally increase your computer's performance and prevent data loss."
0
Comment
Question by:nicholasjwolf
  • 3
  • 3
  • 2
8 Comments
 
LVL 20

Accepted Solution

by:
IndiGenus earned 500 total points
Comment Utility
Sounds like Smitfraud to me.

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

-------------------------------------

If that doesn't get it I would advise Combofix next.

Download and Run ComboFix (by sUBs)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log. Upload to the following link and post the link to it back here.

http://www.ee-stuff.com

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.
0
 
LVL 19

Expert Comment

by:weellio
Comment Utility
http://www.spywareguide.com/onlinescan.php
here is a free online scanner that i run to get rid of my spyware..

try to diasble all the unneeded startup options
start - run - msconfig
on the startup tab choose "disable all" then reboot

if this doesn't clean the issue, then i suggest running a hijackthis report and seeing what it says. you may possibly have some rootkit.  get a rootkit killer
post the report if you don't see anything out of the ordinary, maybe one of us will.
0
 

Author Comment

by:nicholasjwolf
Comment Utility
IndiGenus: I ran the file and rebooted. Didn't get the popup error yet while I was remotely connected to her computer. I ran HijackThis just to be safe and came up with the following which, according to one log analyzer, had some nasties in it. Would you (and anyone else is welcome as well) please take a look and provide your opinion on any actions to take? Thanks a lot!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:48:15 PM, on 12/1/2007
Platform: Windows Vista  (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\bwkimj\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Video On-line - {065B1210-E57F-41AD-90C5-F70D63388640} - C:\Windows\System32\PowerVideo.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [PCMService] "C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B561B5C-CE10-47B4-863B-042678B53DAD}: Domain = bw.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B561B5C-CE10-47B4-863B-042678B53DAD}: Domain = bw.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{5B561B5C-CE10-47B4-863B-042678B53DAD}: Domain = bw.local
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7591 bytes
0
 
LVL 19

Expert Comment

by:weellio
Comment Utility
Description:


This is Trend Micro's detection for components of the legal adware called PopCap Loader from PopCap Games company. It is a Web plug-in that provides Web update features.

It runs on Windows 98, ME, NT, 2000, and XP.

Solution:

Minimum scan engine version needed: 7.100




Removing Adware Entries from the Registry

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, delete the following registry keys:
" HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2
" HKEY_CLASSES_ROOT\PopCapLoader.PopCapLoaderCtrl2.1
" HKEY_CLASSES_ROOT\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
" HKEY_CLASSES_ROOT\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
" HKEY_CLASSES_ROOT\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}
" HKEY_LOCAL_MACHINE\SOFTWARE\ClassesPopCapLoader.PopCapLoaderCtrl2
" HKEY_LOCAL_MACHINE\SOFTWARE\ClassesPopCapLoader.PopCapLoaderCtrl2.1
" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}
" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}
Close Registry Editor.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 19

Expert Comment

by:weellio
Comment Utility
0
 
LVL 20

Assisted Solution

by:IndiGenus
IndiGenus earned 500 total points
Comment Utility
Just some Smitfraud leftovers. Not seeing anything else malicious.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

---------------------------------

O2 - BHO: Video On-line - {065B1210-E57F-41AD-90C5-F70D63388640} - C:\Windows\System32\PowerVideo.dll (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab

---------------------------------

Then close all windows except this one and press Fix checked.

I would advise you to update and run your AVG Antispyware in Safe Mode and let it fix or quarantine anything it finds.

Hope that helps,
Dave
0
 

Author Closing Comment

by:nicholasjwolf
Comment Utility
Thank you!
0
 
LVL 20

Expert Comment

by:IndiGenus
Comment Utility
You're welcome and good luck in the future.
Dave
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

OVERVIEW This guide provides information on the process performed when the Symantec Endpoint Protection (SEP) client checks in with the Symantec Endpoint Protection Manager (SEPM). AUDIENCE Information Technology personnel responsible for suppo…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now