Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Removing Malware: Win32/Spy.Zbot.JF Trojan

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
Dear Geeks,

I'm working on trying to remove a particular Trojan virus from my system, which ESET Nod32 identifies as a variant of Win32/Spy.Zbot.JF trojan.

This particular virus seems to have the following effects:
1. Switches off firewall
2. Causes new tabs to open randomly in Firefox, for shopping sites, and even Bing
3. Fills the temporary folder in the C/Drive with folders
4. Attempts to establish a connection between my computer and an IP in China, rasejo.cn
5. Is visible to my antivirus and antimalware software, but cannot be fully deleted
6. Prevents my computer from opening in safe mode

I have an HP Compaq Presario running on Windows XP.

I have scanned with both Nod32 and Malwarebytes, quarantined the offending files, deleted, etc., but the virus is obviously hiding somewhere, as the warning messages quickly return.

There are three warning messages.
1. Blocks an address from connecting to my computer. The root of this address is 'rasejo.cn', a Chinese site which is know to be associated with Malware.
2. Blocks an object from ...moneyuk.exe, which has a Russian IP.
3. Identifies a malicious object in my temp. folder (svchost.exe)

The first problem was to start up the computer in safe mode. I was able to access the screen showing this option, but after chossing safe mode, I would see a list of script, a blue screen with an error message which was flashed too briefly to be legible, and then the computer would automatically restart. So, I had to start in normal mode, then run msconfig, then select the diagnostic start-up option, then restart.

In this mode, I ran Smitfraudfix following the instructions from the site. I then tried to empty my temporary folders, but there is one file I cannot delete; 'Perflib_Perfdata_214'. What is this file? Should I or can I delete it?

In addition, new folders keep being created in my temporary foldes. These folders are empty, and have random names made up of four letters, like crhg.tmp., eqvn.tmp, crtb.tmp, etc. I think they are created whenever I restart my computer, and I assume they are associated with the virus somehow.

After doing everything I should, I have only a few minutes before the constant warning messages from Nod32 return. I can't seem to get rid of this virus. Please help!


EDIT 1; p.s. I think this virus came either from an email from a friend, which when I opened seemed to be some kind of ad, but I didn't open any links or attachments. Or, it came from a link I followed on a site offering fonts. When I searched this site, lots of windows opened up. I had to shut down, as I couldn't close any of them.I didn't download anything from there either. I can't think where else this virus came from.

EDIT 2; I tried again to follow the instructions on removing this virus. (I then got a warning message about an Olmarik virus.) Inside my temp folders were two perflib_perdata files. All was deleted, a restart was necessary, so I tried to restart and now I get to the screen which gives me the option to start in safe mode, which i choose, but it then goes to a bluescreen, dies and restarts all over again, ad infinitum.

Misery! :)

Edited by salliphane, 02 January 2010 - 11:43 AM.

  • 0


Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP