Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win32/zlob.afn trojan downloader

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win32/zlob.afn trojan downloader

Unread postby toolman_fixit » May 17th, 2009, 1:45 am

Hi all, my first time here so don't be too hard on me if I do something wrong. I run XP pro sp2. I did a windows malicious software tool scan (full scan,2 hours) on my computer and it found one file infected which is listed above,but could not remove it. However I did mulitiple scans with Ad - Aware , Spybot , Nod 32 antivirus and they all came back clean. I did search it on the net but couldn't find anything I could trust as some say it is a false positive and others say it is something to worry about. I did a search on my computer but could not find it??? I also did a search on this site and could not find it.here is my hijack log. thanks for any help.Also I have 23 different location for iexplore.exe and yes it does run in task manager when I am not using internet explorer. I will try and post the locations for iexplore.exe after the hijack log. I tried "techguy support" but my post has been sitting there for 2 days without any help and I fear my computer is getting worse.THANKS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:59 AM, on 17/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
E:\Program Files\Eset\nod32kui.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
E:\Program Files\Stardock\Object Desktop\WindowFX\wfxload.exe
E:\Program Files\MagicTune Premium\MagicTuneEngine.exe
E:\Program Files\CursorXP\CursorXP.exe
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\CyberLink\Shared Files\RichVideo.exe
E:\Program Files\Sygate\SPF\smc.exe
E:\Program Files\MagicTune Premium\GammaTray.exe
E:\Program Files\WallMaster\wallmast.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
E:\Program Files\UPHClean\uphclean.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\Program Files\MagicTune Premium\MagicTune.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Explorer Rick
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - E:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - E:\Program Files\WinAVI FLV Converter\FLVTune.dll
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ioloDelayModule] E:\Program Files\iolo\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] E:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] E:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "E:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [STYLEXP] E:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [WindowFX] E:\Program Files\Stardock\Object Desktop\WindowFX\\wfxload.exe
O4 - HKCU\..\Run: [CursorXP] E:\Program Files\CursorXP\CursorXP.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O8 - Extra context menu item: &Download FLV by WinAVI... - E:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - E:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - E:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3539721532
O20 - Winlogon Notify: hgGwUnNG - hgGwUnNG.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - E:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: MagicTuneEngine - Unknown owner - E:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown owner - E:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - E:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 8543 bytes
NOW for the iexplore.exe locations
iexplore.exe E:\program files\internet explorer
iexplore.exe.mui E:\program files\internet explorer
iexplore.exe E:\WINDOWS\$NTServicePackUninstall$
iexplore.exe E:\WINDOWS\ie7
iexplore.exe E:\WINDOWS\ie8
IEXPLORE.EXE 27122324.pf E:\WINDOWS\Prefetch
iexplore.exe.mui E:\program files\internet explorer\en-US
iexplore.exe E:\WINDOWS\ie7updates\KB956390-IE7
iexplore.exe.000 E:\WINDOWS\ie7updates\KB956390-IE7
iexplore.exe E:\WINDOWS\ie7updates\KB958215-IE7
iexplore.exe.000 E:\WINDOWS\ie7updates\KB958215-IE7
iexplore.exe E:\WINDOWS\ie7updates\KB961260-IE7
iexplore.exe E:\WINDOWS\ie7updates\KB963027-IE7
iexplore.exe E:\WINDOWS\ServicePackFiles\i386
iexplore.exe E:\WINDOWS\system32\dllcache
iexplore.exe E:\WINDOWS\$hf_mig$\KB956390-IE7\SP2QFE
iexplore.exe E:\WINDOWS\$hf_mig$\KB958215-IE7\SP2QFE
iexplore.exe E:\WINDOWS\$hf_mig$\KB961260-IE7\SP2QFE
iexplore.exe E:\WINDOWS\$hf_mig$\KB963027-IE7\SP3QFE
iexplore.exe E:\WINDOWS\SoftWare Distribution\Download\(a long number)\SP2GDR
iexplore.exe E:\WINDOWS\SoftWare Distribution\Download\(a long number)\SP2QFE
iexplore.exe E:\WINDOWS\SoftWare Distribution\Download\(a long number)\SP2GDR
iexplore.exe E:\WINDOWS\SoftWare Distribution\Download\(a long number)\SP2QFE

SORRY but it would take forever to wright down that number for software distribution\download
toolman_fixit
Active Member
 
Posts: 3
Joined: May 17th, 2009, 12:52 am
Advertisement
Register to Remove

Re: win32/zlob.afn trojan downloader

Unread postby toolman_fixit » May 17th, 2009, 6:58 pm

BUMP
toolman_fixit
Active Member
 
Posts: 3
Joined: May 17th, 2009, 12:52 am

Re: win32/zlob.afn trojan downloader

Unread postby NonSuch » May 17th, 2009, 10:27 pm

http://forums.techguy.org/malware-remov ... b-afn.html

Please exercise patience and do not keep bumping your topic at Tech Support Guy forums. Bumping your topic only serves to raise the number of posts in the topic, which makes it appear that you have received help when you have not. Wait for a response. If your situation is emergent and you do not feel that you can wait, then you should take your computer to a trusted local shop and have it fixed.

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.

This topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 263 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware