I've faced a Zlob.ab (according to Avast) trojan infection.
1. Virus was detected by Avast antivirus when scanning memory. The file named ld?
.tmp was in system32 folder. Avast should delete, the file, but it didn't do it. What is worse, it didnt even tell, that it was not able to delete it, since it was in use. A startup scan was recommended. In this scan the file was removed, but another one was generated with different name after windows loaded.
2. I used EMCO malware remover to remove the trojan. It reported, that the trojan is removed, but Avast still found the trojan in system32 folder under the .tmp extension. So it was still there.
3. I used symantec zlob.b description to get some hints, where to find that shi*. Went through registry and cleared suspicious entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\policies\explorer\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. It didn't help completely. I used the "Ultimate Process manager" (free tool) to examine running processes. It also checks all the registry entries where trojans reside. In the "\policies\explorer\run" there was an "undeletable" (it always came back) entry "wininet.dll=mscornet.exe". Which launched the trojan.
5. In boot mode I replaced the explorer.exe (symantec says zlob is injected into this, but i don't know if zlob.ab) and removed the mscornet.exe from system32 folder. Now the computer seems to be clean.
