Solved trojan.zlob activity~shell32.dll icons have gone.

[Resolved] trojan.zlob activity~shell32.dll icons have gone.

Hello,

This is my first post so I hope I get things right . I have searched the forum and, although I've learned a lot, I couldn't find a similar problem.

Last week Norton Internet Security started telling me it had blocked some outgoing Trojan.Zlob activity. I closed the net connection and did a full system scan using Norton but it found nothing. Since then Norton has flagged up this activity several times a day. Yesterday I received a home-movie from a friend who uses a Mac, I had to install Quicktime to view it (I really didn't want to but he insisted I see his new baby). After viewing the movie I uninstalled Quicktime, I had been careful to not let it associate any files. After a reboot I noticed that my Recycle Bin Icon had been replaced by the placeholder/blank icon. I opened a window and found my Folder icons were similarly blank. I tried to change the Icon but found that shell32.dll had no icons in it. Additionally all of my recent programs in the start menu have lost their icons and the history list under the Run command is blank.

I ran "sfc /scannow" and it found nothing wrong and left shell32.dll as is.

I guess that the problem may be associated with Quicktime (I loathe that program) but as I am getting constant reports of trojan.zlob activity I decided to post here. I have run Hijackthis as requested, the log is below, the only thing there that raises my suspicions is "O4 - HKLM\..\Policies\Explorer\Run: [889Y4Px0A0] C:\Documents and Settings\All Users\Application Data\rsvilkry\polsreny.exe" I have no idea what that is.

Thanks in advance for any help you can give and thanks for an excellent forum.

 

Hi miniwood,

This is Mike from the Norton Authorized Support Team responding to your posting.

While I can not analyze your Log file I can help you with removing the infection.

The Trojan Zlob most likely came from a rogue website or by clicking on something on a web page. Although QuickTime may have some security holes as most multimedia applications do, I doubt that it came from using QuickTime.

Symantec has instructions for properly updating your definition files, turning off System Restore and manually removing any registry entries that the infection has created.

Please carefully follow the instructions in the following document.

Trojan.Zlob Removal Instructions

Thank you,
Mike

 

Hi Miniwood
I really didn't want to meet you here too

Now let's see if I can return the favor, seeings how this is my area of knowledge.

Please do this.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • C:\Documents and Settings\All Users\Application Data\rsvilkry\polsreny.exe
• Click on the submit button
  
• Please post the results in your next reply.

Now this.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Thanks
Geri

 

Michael, thanks for your reply.

Hi Geri, well I'm glad I could help you.

Some additional information; Windows Update forced a reboot this morning and since then Norton has not flagged up any Trojan.Zlob activity, I am afraid I don't know what updates were applied. However I still have no system icons, shell32.dll has no icons in it and my run command has a blank history list.

On with your instructions:

Jotti File Submission:

Jotti.org responded:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file "

I have all hidden and system files visible, I checked and the neither the file or directory exists. I ran a search for the file and directory name and it definitely does not exist.

Running SmitfraudFix.exe

Norton pops up 2 windows:

1. Auto-protect has detected security risk IEDefender

2. Auto-protect has removed security risk IEDefender, your computer is secure

I guess this is something that SmitfraudFix needs so I turned off auto-protect and ran it again. Here is the report:

That's it, thanks for your help.

 

Hi
OK because you don't get the Zlob warning any more I need to see a new HJT log.

Thanks
Geri

 

Hi Geri

Here's the new HJT log:

 

Hi
OK that file still shows in your HJT log.

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Thanks
Geri

 

Hi Geri

Here's the Combofix log:

 

Hi
OK couple questions.
Did you run Combofix 2 times, You posted this...
ComboFix 08-08-14.05 - Paul Littlewood 2008-08-16 5:31:12.2 The 2 here means the second log. I would like to see the first one.

Also I'm a little confused with the shell32.dll has no icons in it, shell32.dll is a system file not a folder so I'm confused about the "no icons in it "?

Are all icons gone or changed?

Was there any change after running combofix?

Thanks
Geri

 

Haha, no hiding from you! Yes, the first time I managed to lose the copied report, sorry I've been up all night . I just had a look at Drive C and there's a new dir called qoobox which has a file in it called combofix2.txt, this looks like the first run, here it is:

Is that the right one?

My system icons, like Recycle Bin and Folder, have gone and have been replaced by the generic blank/placeholder icon that windows uses for unrecognised files. Also the recently run programs in the start menu are blank. When this first happened I right clicked on the Recycle Bin to replace the icon which opened up Shell32.dll and there were no icons there to choose from as there normally are.

Since running combofix the icons are still generic/blank but shell32.dll now has the normal icons available. It looks to me as if you may have fixed things.

 

Hi
OK there are a number of files I can't get much info on. They could be game files but I would like to make sure they don't come back as bad.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the "Scan Report" On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Malware and Virus removal.

 

Thanks Geri

I'm following your instructions, it looks like Kaspersky will take about seven hours and I'm off to bed. I'll get back to you with the report tomorrow.

 

Hi Geri

Here's the Kaspersky report:

 

Hi Paul
OK looks good.

Please do this.

Open housecall6.6 Quarantine folder and delete everything in it.

Delete everything in your Thunderbird Mail Inbox don't open anything in there, you have some infected mail, then delete everything in the Junk folder then delete the deleted items folder, if there is one. (basicly clean out all the folders in that mail program).

Now do this.

Delete Smitfraud.exe

Then do this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing the infected files there as well.

RealVNC Ltd - winvnc.exe is OK if you did not know. information here,
http://www.processlibrary.com/directory/files/winvnc

How are things running?

Geri

 

Hi Geri

Everything seems fine viruswise. I've done all you said and I'm getting no warnings from Norton. However I still have incorrect folder, HD & recycle bin icons. If I right click on the recycle bin and choose the correct icon from those in shell32.dll, the icon displayed does not change from the unknown filetype icon. The same goes for folders and hard drives.

Unless you have another suggestion I was thinking of reinstalling windows over my current installation. SFC does not detect anything wrong.

Going back to something you mentioned earlier; I only use Bittorrent to download and share Openoffice. I see that as a way of paying for the free software by contributing some bandwidth to the project. It's a shame, P2P could be so useful if it wasn't for the bad guys, but I guess you could say that about the web as a whole too.

 

Hi
OK try this,

Go here, scroll down to # 195 on the right hand side and run this.
"Restore Desktop Icons and Taskbar "

http://www.kellys-korner-xp.com/xp_tweaks.htm

Let me know if that helpd.

Geri

 

Hi Geri

No joy

I ran it and tried a reboot. It turned off my Quick Launch bar but nothing else.

 

Hi
OK right click on your desk top and click on properties.
Click on DeskTop > Customize DeskTop.
Click on Restore Defaults.
OK you way out.

Let me know of any change.

Thanks
Geri

 

Hi Geri

No change. Stubborn isn't it?

 

Hi
OK lets check this.
1. right click on your desk top and click on properties
2. Click the Desktop tab, and choose "Customize Desktop ".
3. Select the "Web" tab
4. Delete all the items except "My current Home page "
5. Uncheck "My current Home page "

If there was anything else in that box that you deleted then click on the general tab and click on restore defaults OK your way out.

Geri