Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan horse downloader.Zlob.DJW?


  • Please log in to reply

#1
Pedestrian A

Pedestrian A

    Member

  • Member
  • PipPip
  • 16 posts
Hi,

I was recommended to come here from another forum (Annoyances.org). My problem is kinda weird. Its something like this...

I keep all the software I download in a folder just in case, lets say, for use after a reformat. After an update, AVG Free tells me that the setup file for the latest version of Password Safe (from http://passwordsafe.sourceforge.net by some guy named Bruce Schneier (http://www.schneier.com) is infected with a trojan horse called trojan horse downloader.Zlob.DJW. I did a full system scan and found that the uninstall.exe file for Password Safe is also infected with the same virus. I searched Google for downloader.Zlob.DJW but found nothing. I searched Yahoo and found that some guy in the Winamp forums is also getting pop ups from AVG about downloader.Zlob.DJW. I have Password Safe on another computer but AVG doesn't report viruses or trojans. I downloaded the setup file for Password Safe and AVG says it has trojan horse downloader.ZLOB.DJW. I downloaded the setup file again on another computer but AVG doesn't detect anything. Is my password file compromised? Or is there a problem with AVG? What should I do? Change all my passwords?

That was a month ago. Sorry, I kinda had a major exam to study for. And more recently, AVG has detected yet another trojan horse downloader, Trojan Horse Downloader.Agent.FMH and this time the file is C:\Windows\system32\ah.scr. I believe that is the file for a screensaver I downloaded from Alienware.com. Is there something wrong with AVG or I really have a trojan horse infection? Please and thank you. :whistling:


Pedestrian A

Edited by Pedestrian A, 28 October 2006 - 11:57 PM.

  • 0

Advertisements


#2
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
Pedestrian A

Pedestrian A

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

Before I go on following the recommendations in the guide (this link you gave me) I want to say that I forgot to tell you that two of the infected files, the setup file and uninstall.exe for Password Safe that was infected with trojan horse downloader.Zlob.DJW I already put in AVG's virus vault and deleted them just in case. Right now the file in AVG's virus vault is the one that has got to do with the screensaver I mentioned from Alienware.com and its infected with trojan horse Downloader.Agent.FMH. I did scans with Spybot S&D, Ad-Aware and AVG before I got your reply and they detected nothing. So I guess my problem now is that I'm not sure the file in AVG's virus vault is really infected or not. How do I make sure? If the problem is with AVG, can I still seek help here? Should I still go on with the steps in the recommendations guide?

Pedestrian A
  • 0

#4
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
I need you to follow those steps, and then post a HijackThis log
  • 0

#5
Pedestrian A

Pedestrian A

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

I've followed all the steps in the recommendation already. AVG Anti-spy picked up 5 items, Ad-Aware picked up 4, AVG Anti-virus picked up nothing and Panda Activescan picked up 1. I accidentally deleted 2 items in AVG Anti-spy. I missed setting the configurations to quarantine all items. I couldn't delete any items in Activescan. Is that normal? I've saved log files for AVG Anti-spy and Activescan. If you need them, I'll post it. Anyway, here's the HijackThis log (yes, I've rebooted):



Logfile of HijackThis v1.99.1
Scan saved at 5:56:23 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Auto EPSON Stylus CX1500 Series on XP-DESKTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3V1.EXE /P45 "Auto EPSON Stylus CX1500 Series on XP-DESKTOP" /O20 "\\XP-DESKTOP\Printer" /M "Stylus CX1500"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NETGEAR WG111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O4 - Global Startup: NETGEAR WG511v2 Wireless Assistant.lnk = ?
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://v3.tm.net.my/plugins/myv3.cab
O16 - DPF: {605D405B-C484-4D30-B6D2-031CB2F440A4} (Vmon Control) - http://v3.tm.net.my/vmon/VAM/vmon.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://v3.tm.net.my/...yfirewall20.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4144\SiteAdv.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
  • 0

#6
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

  • 0

#7
Pedestrian A

Pedestrian A

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

I'm sorry but I'm having trouble with Housecall. A few minutes into the scan my browser just closes without warning. I've tried it on both Firefox and Internet Explorer. I've also tried the Australian Trendmicor site. At the moment, it just stucks at the update page.

Edited by Pedestrian A, 19 October 2006 - 06:42 AM.

  • 0

#8
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
try disabling winpatrol and ad-watch, then trying trend micro
  • 0

#9
Pedestrian A

Pedestrian A

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi,

I had problems with my internet connection. Just been able to connect today. I'll try disabling winpatrol and ad-watch soon.

Pedestrian A
- Just to tell you I'm not dead or anything....
  • 0

#10
Pedestrian A

Pedestrian A

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Avohir,

Still no luck, I also tried the ActiveX kernel (the browser plugin one) for Housecall on Internet Explorer but still it just closes without warning. It's the same thing on my other computer. Have you tried Housecall? Does it work for you?

Pedestrian A,
- is this Housecall scan really needed? Can't we try another online scan?
  • 0

Advertisements


#11
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
we can try other scans.

you said you had the scan logs from AVG and ActiveScan? Could you post them please?
  • 0

#12
Pedestrian A

Pedestrian A

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sure. Here's AVG Anti-spyware's log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:50:22 AM 10/18/2006

+ Scan result:



C:\WINDOWS\iaccess32.exe -> Dialer.EgroupDial.w : Cleaned with backup (quarantined).
C:\WINDOWS\system32\egaccess4_1063.dll -> Dialer.EgroupDial.x : Cleaned with backup (quarantined).
C:\Downloads\Cool Alienware Stuff\AlienHandSetup.exe -> Downloader.Agent.awt : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\i5pccz3l.default\cookiesnew.txt -> TrackingCookie.Com : Cleaned.
:mozilla.37:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\i5pccz3l.default\cookies.txt -> TrackingCookie.Com : Cleaned.


::Report end

I forgot to set AVG's actions to quarantine before I scanned, sorry. And here's Activescan's log:


Incident Status Location

Dialer:dialer.su Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\Switch



Pedestrian A
  • 0

#13
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
the link you gave to passwordsafe doesn't seem to be working for me...


could you download it and submit the file to http://virusscan.jotti.org and report back with the results?
  • 0

#14
Pedestrian A

Pedestrian A

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Avohir,

I recently updated to a new version of Password Safe. AVG doesn't seem to have a problem with it (including it's setup file). I scanned the setup file with Jotti's malware scan too and it didn't find anything. I guess my problems with Password Safe and AVG is over (or rather AVG's problems with Password Safe). The screensaver from Alienware.com on the other hand seem to be actually infected. I scanned it on two computers using AVG Anti-spyware and it was infected with Downloader.Agent.awt. And on Jotti's malware scan, Norman Virus Control found W32/Agent.ALMT and VBA32 found Trojan-Downloader.Win32.Agent.awt. I guess I won't be using this screensaver anymore (it was a cool one though). So I guess my original problems are solved. So do I delete all those quarantined files I found during all those scans? And how do I get rid of that dialer Activescan detected but wasn't generous enough to delete?


Pedestrian A
- I fixed the link to Password Safe in my previous post, it was a typo error. I also corrected name of the guy who created it. It's Schneier not Schneir. Geez, he's name is not only hard to pronounce but hard to remember it's spelling too. I really think he should change the domain of his site.
- Urm, if you're wondering what version of Password Safe AVG originally detected malware is, I forgot. :whistling:
- Thanks and thanks again.

Edited by Pedestrian A, 29 October 2006 - 12:57 AM.

  • 0

#15
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
well everything looks good,

you're not experiencing any more problems?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP