I have been posessed by "Z Demon"

Ok... this one has got me stumped. I have had fairly good success getting rid of spyware and viruses but for some reason this one wont go away. While attempting to download a program, I inadvertently selected the wrong download window. This is when all hell broke loose. After it was too late I realized I had downloaded Bullseye, along with a bunch of other ****. AVG detected a virus immediately (which has since been removed). 3 days later I'm still fighting it.

I ran spybot and adaware. Spybot keeps showing an error message "Error during check! Z Demon ", and "DSO exploit" and "eXact advertising.BargainsBuddy ".

I uninstalled (successfully, I think) "Bullseye" and "Search Relevancy "

Here is the HiJackThis logfile:
Logfile of HijackThis v1.98.2
Scan saved at 7:34:15 PM, on 12/9/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\WINNT\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab

Zone Alarm has stopped internet access to several exe files which I'm sure are related.
Also... My outlook express wont start up without freezing and using 90% of my CPU.
Anyone have any Ideas? Is there any other software I should try?
Any help would be wonderful
Thanks , Hammer

 

The log looks clean at this point.

Zone Alarm has stopped internet access to several exe files which I'm sure are related

Can you post the names of the .exe files?

On the chance that some needed system file went missing or were just dinged up some, have you tried sfc /scannow from a run line?

 

Hello

Along with newts question

We need to see the entire log, looks as if you have items on Hijackthis's ignorelist. plus if youve disabled anything from starting with windows since the problems started undue that we need to see it all.

So a new Log, and a service list from this tool to.

 

Thanks for the replies.
The .exe files stopped by zone alarm are exdl.exe, exdl1.exe and Tibs3.exe The others were bargains.exe and optimize.exe, but I believe I got rid of those.

Here is the hijackthis log file with the ignored processes added.

Logfile of HijackThis v1.98.2
Scan saved at 5:40:51 PM, on 12/10/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\WINNT\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hammer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab



Here is the Service Filter log:
ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 3
Dec 10, 2004 6:05:41 PM


There are 57 Win32 services on this machine.
All were recognized as legitimate.

Script Execution Time: 3.136719 seconds.

Does this help?

 

I have attached a text file named RemoveBB.txt to this post. Download it, saving to the desktop. Right click and rename, changing only the txt extension to reg. Double click to merge the information to the registry. It will remove the entries placed there by Bargain Buddy. Reboot to safe mode and open C:\Winnt\system32 folder. Locate the executables you listed above and delete, as well as the file netut80ex.vxd if present. Open C:\Program Files and delete the following folders if present.

ADP
Bargain Buddy
Bullseye Network
Crazy Mates
Internet Optimizer

Open C:\Temp if present, select all and delete.
Open C:\WINNT\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes and click OK.

Reboot back to Windows.

DSO Exploit is a glitch in Spybot 1.3 that apparently still has not been fixed. See this thread for more information.

Scan again with Spybot and let us know what comes up. If Z Demon is still present, please post the scan log.

 

Spybot DSO note - there was a beta version 1.3.1 available for a while that took care of the DSO exploit. I have it and have been happy with it. For some reason the Spybot folks pulled the beta and only 1.3 is available from most sites.

I just found a 1.4 beta version and am now in the process of removing 1.3.1 to try 1.4. I'll post results in a day or so.

 

We have success... sort of.
I did all of the things Noahdfear suggested. I ran SpyBot again and still got the error message. Here is the logfile.
Error during check!: Z-Demon (Ungültiger Datentyp für '') ()

Congratulations!: No immediate threats were found. ()

--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2004-12-01 Includes\Dialer.sbi
2004-12-02 Includes\Hijackers.sbi
2004-12-01 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-12-01 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2004-12-01 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2004-12-01 Includes\Trojans.sbi

I ran Adaware again and all that showed were some regular tracking cookies.
I then tried to open Outlook Express but it still locked up on me. Thinking maybe I had a corrupted file in my inbox, I moved the inbox DBX file to another location and it works now... but I cant access my messages in that file.
Is the Z-Demon something I should be worried about? Maybe the Spybot 1.4 can help with that.
Is there any way I can open the dbx file to determine what's in there?

Thanks for all your help.
Hammer

 

!.31 can still be downloaded at this major geeks site:
http://www.majorgeeks.com/download4392.html

Seen and found the reference and link tip here:
http://forums.net-integration.net/index.php?showtopic=24034

Apparently the zdemom problem/bug is also taken care of with version 1.31???

 

Error during check!: ??varies?? (Ungültiger Datentyp für ') () - ( ??varies?? indicates you can have a number of different spyware/malware names here)

From what I read, not fixed in 1.3.1 but is fixed in 1.4 beta. It seems that when you run into this one the spybot app will say it completed successfully when in fact it did not.

 

Hi Newt,
I was only going by the posters response from the link I included in my previously thread. That's why I said apparently. I guess I should have expanded on my skepticism a wee bit more.

One sure way is running a few online scans from a couple of different vender's.

Another is manually checking for any existence of the files and registry keys these critters use. There are a few different variants and each uses different files and registry run lines. Perhaps that's why spybot has burps on this one.

Here's some of the google hits. I'll eventually drag the specific links out in a bit but I have some chores to do at the moment and will be off line for a while. In the mean time, for self assurance, if the Hammer wishes to check the google links and find the relevant links and files involved here they are:
http://www.google.com/search?hl=en&q=zdemon+virus

 

Ok finally....
I upgraded my Spybot ran a new scan and the Zdemon is apparently gone. I checked into the Google search and the Symantec site gave some instructions on checking for the Zdemon virus and I was unable to find anything. Looks like I'm in the clear. Now if I could just recover those emails...
Thanks everyone
Hammer

 

For a small fee, DBXtract can handle those emails.

 

I'd be careful with that email folder. I believe one of the descriptions of this virus/trojan mentioned Sending files, including itself, by email and by accessible network shares. Do you think it could be sitting in there waiting to get you again? I wonder if an attempt at cleaning the trojan, if it was found to be in the dbx folder has corrupted the box? Did you do any online scans as suggested? What virus program are you using that allowed you to get hit with this in the first place?

I guess once skepticism sets in it's hard to shake loose...

Hi Dave,
Your doing a great job in here. I don't know how you keep going. I just wanted to let you know that I think you and the other members who keep doing these cleanups day and night are absolutely wonderful. Words just aren't enough.

 

Ann makes a very good point when suggesting caution with those files. There are also a few freebie dbx file extractors, which will allow you to view/save the files. It should be rather safe to save them to a text file or such and then scan it before opening. Using an online scanner in addition to your onboard AV is recommended also. Often times, just the sheer size of the dbx file will cause problems with OE.

Hi Ann,

Thank you so much for the kind words.

 

All Ok now ?

If so go get your service packs
also download the new build of AVG soon, uninstall the old one, reboot install new, its now called AVG Free , i have to assume your running an Old build of ZA to, best to keep up with all updates

Regards

 

Thanks for all your help.
Ann, I'm using Zone Alarm and AVG which usually do a great job. The reason I got all this junk was because of an inadvertent download.
As far as my AVG And ZA go... I scan with AVG nightly so I'm always up to date. I update ZA about once a week. Do the updates include the latest builds?
I havent tried the online scan but if there's a chance it will help, I'll try it.
As for the .dbx file, I dont think the size of the file is causing the problem. I noticed the program running slow a few weeks ago and did a major cleanup. It was purring along until this little mishap. I think I'll transfer the file to a spare computer so I can spare this one the troubles.
I'll get the latest service packs. Thanks for the advice.
Now I've just discovered my son has downloaded BargainsBuddy and CashBack on my laptop.... Here we go again....