Possible Zlob infection / "Virus Heat"

[ChefSamuraiJack]

I tried scanning this computer a million times. I've always used updated programs and scanned in Safe Mode... And although I got a lot of it, I can't finish it all. I keep having this large flashing shield at the bottom right of my screen that complains that I have an infection. I KNOW that this thing is a virus and I can't get rid of it.

I used SpyBot, CCleaner, Spy Sweeper, Ewido, McAfee, VundoFix (and other anti-Vundo programs), AIMFix, Ad-Aware, and everything else I could think of. (I made sure I only have 1 anti-virus on at a time so they wouldn't fight each other.)

Here's the HJT log and a picture that shows the problem too! Please help me as soon as yah can.

[jholland1964]

• Download combofix.exe by sUBs to your computer's Desktop.
• Alternate Download
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\ComboFix\ComboFix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Post the log for us
Judy

P.S. It is EXTREMELY important that HijackThis be properly located before you use it! You should move it from it's present location into a file of it's own that you create
To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and Click ENTER
**** Also, please be sure to RENAME hijackthis.exe to analyzer.exe or your name.exe (any random name ought to suffice) by RightClicking hijackthis.exe and selecting Rename. This is important!
Once you have moved and renamed HJT then run a NEW scan after you do the combofix scan and post that new HJT log along with the combofix log.

[ChefSamuraiJack]

Ah, okay. Here's the logs... What do they mean?

[jholland1964]

Two things you need to do...first of all please RENAME HiJackThis following these instructions;

**** Also, please be sure to RENAME hijackthis.exe to analyzer.exe or your name.exe (any random name ought to suffice) by RightClicking hijackthis.exe and selecting Rename. This is important!

Some viruses or trojans, Zlob included, can hide themselves from HiJackThis if it sees it on the computer, thus you rename and then it makes it more difficult for an invader to hide itself.

Secondly; Please DISABLE SpyBot TeaTimer until further notice. Running TeaTimer can definitely interfere with any fixes needed.

1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop.
   
   Malwarebytes' Anti-Malware Download Link
3. Once downloaded, close all programs and Windows on your computer, including this one.
4. Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the Ok and you will now be at the main program.
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for VirusHeat related files.
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

9. When the scan is finished a message box will appear. You should click on the OK button to close the message box and continue with the VirusHeat removal process.
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

11. A screen displaying all the malware that the program found will be shown You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log , save it for posting here later.
You can now exit the MBAM program.

Post back here with that log.

[ChefSamuraiJack]

Holy crap on a cracker! You guys are amazing. Thanks for the nice and speedy service... And also thanks for not getting mad when I misread your instructions. Y'all have a lot of patience.

Out of curiosity, do you guys know exactly what types of websites come with ZLob? Where did I get this thing from? (And I'm not embarrassed if it turns out to have been from porn or something. I just want to get the straight dope here.)

Here's the MBAM log file (I'm adding this program to my favorites in malware removal) and a new HJT log file (I renamed it KyleAnalyzer but I didn't notice any differences):

[jholland1964]

Hey don't worry about mis-reading the instructions...at least you read them, many people don't!

Trojan-Downloader.Zlob.Media-Codec is a program that typically purports to be a needed upgrade to Windows Media Player in order to view adult oriented videos on certain websites. However, Trojan-Downloader.Zlob.Media-Codec actually downloads and installs additional malware on the user's machine. It actually doesn't HAVE to be porn...have seen this on many computers where the user was NOT viewing porn...so we will give you the benefit of the doubt...

If you note in the ComboFix log the files removed were all related to the recent download of the macromedia\Flash Player

Yes that MBAM is a great program, actually I was just introduced to it just a day or two ago by one of our other helpers here. Glad he told me about it.

You logs look pretty good, you do have some unnecessary start items but those are up to you. I would recommend that you go here
and read PP's suggestions for keeping the computer clean. My recommendation is mainly SpywareBlaster. A Super program that will offer a lot of protection and it is FREE and doesn't run in the background...AND one of the things it protects against is Zlob.
You can delete ComboFix from the computer, to do that go to: Start >> Run... Type: Combofix /u and click OK.
After this also go to "C" drive and look for a folder called Qoobox
If you find it delete it, these are the backups for Combofix which you no longer need.
Judy

[D_Lowthian]

Wow! Am I glad I found this forum. My wife was reading a New York Times online article about Barrack Obama and it had a link to a video of his half-sister. When she clicked the link, she got a pop-up saying she needed to update her active-x conrols (or something like that), so she did, and guess what, she got this pesky infection that hijacked internet explorer and kept popping up msgs saying she was infected with a virus and needed to download their $50 program to remove it.

When I searched for methods of removing the thing, I found this forum and Judy's detailed instructions about how to deal with it. I downloaded the software and followed her instructions to a T. It worked perfectly and I'm a happy camper once again. Thanks Judy.
BTW - I had spent many hours unsuccessfully trying to rid her machine of this pain.

Dick

[jholland1964]

D_Lowthian, Glad we could help! Now are YOU certain all is removed? You really should begin your own thread concerning this and follow the instructions given concerning posting the logs, etc. We will be most happy to take a look to be certain that everything is cleaned up.