Does this......"sign of win32:Zlob-ahs [trj]* has been found in"....

[BJS]

.....mean I have a virus? Or is is just a warning?   

[Lisandro]

Can you say what is the infected file name, where was it found (C:\windows\system32\infected-file-name.xxx)?
What avast! version and virus database are you using? (see About dialog of avast!)

Probably you were infected. Hopefully avast caught the virus...

[BJS]

I have Avast! 4.7 home edition and   VPS file version071230-0

Here is what the Avast log showed..

9/27/2007 3:14:05 PM   SYSTEM   1260   Sign of "Win32:Renos-AF [trj]" has been found in "http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe" file. 
9/27/2007 3:14:28 PM   SYSTEM   1260   Sign of "Win32:Renos-AF [trj]" has been found in "http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe" file. 
9/27/2007 3:14:49 PM   SYSTEM   1260   Sign of "Win32:Renos-AF [trj]" has been found in "http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe" file. 
9/27/2007 3:15:33 PM   SYSTEM   1260   Sign of "Win32:Renos-AF [trj]" has been found in "http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe" file. 
9/27/2007 3:15:56 PM   SYSTEM   1260   Sign of "Win32:Renos-AF [trj]" has been found in "http://scanner.malwarealarm.com/aswp/Install-bmVhcmNhbGw-Y3I1X2ludGw-MQ.exe" file. 
9/29/2007 12:33:09 PM   SYSTEM   1296   AAVM - scanning warning: x_AavmCheckFileDirectEx: http://software-files.download.com/sd/LR0W3kr5xIo-uoVQnzUYPedw-p8qwoEF5yqUvxHhxpYuxaFRbf5h_xEbRvQIZgtpDryRQpLJCjVFibfwmJk0mJ3m4cqSVMUM/software/10735760/10429299/3/tvc.exe?ptype=3001&ontid=20&siteId=4&edId=3&pid=10735760&psid=10429299 (C:\WINDOWS\TEMP\_avast4_\unp48721646.tmp) returning error, 00000084. 
10/4/2007 9:33:50 PM   SYSTEM   1280   Sign of "Win32:Adware-gen. [Adw]" has been found in "http://ak.exe.imgfarm.com/images/nocache/funwebproducts/2.2.60.11/WebfettiSetup2.2.60.11-2.exe\mwsSetup.CommonCodebase.exe" file. 
10/5/2007 10:06:45 AM   SYSTEM   1280   Sign of "Win32:Delf-RT [trj]" has been found in "http://download.avicodecpack.com/AVICodecPackPlus2.exe\$SYSDIR\pxwma.dll" file. 
12/3/2007 6:14:12 PM   SYSTEM   1300   Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011. 
12/3/2007 6:14:13 PM   SYSTEM   1300   An error has occured while attempting to update. Please check the logs. 
12/3/2007 6:24:37 PM   SYSTEM   1216   Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011. 
12/3/2007 6:26:06 PM   SYSTEM   1296   Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011. 
12/3/2007 6:26:07 PM   SYSTEM   1296   An error has occured while attempting to update. Please check the logs. 
12/3/2007 6:28:51 PM   SYSTEM   1220   Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011. 
12/3/2007 6:28:52 PM   SYSTEM   1220   An error has occured while attempting to update. Please check the logs. 
12/3/2007 8:58:49 PM   SYSTEM   1196   Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011. 
12/3/2007 8:58:50 PM   SYSTEM   1196   An error has occured while attempting to update. Please check the logs. 
12/3/2007 9:03:55 PM   SYSTEM   1300   Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011. 
12/3/2007 9:04:02 PM   SYSTEM   1300   An error has occured while attempting to update. Please check the logs. 
12/3/2007 9:14:01 PM   SYSTEM   1248   Function setifaceUpdatePackages() has failed. Return code is 0x20000011, dwRes is 20000011. 
12/3/2007 9:14:04 PM   SYSTEM   1248   An error has occured while attempting to update. Please check the logs. 
12/18/2007 11:26:56 AM   Billy & Phoebe   1284   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Program Files\InstallShield Installation Information\{747C231B-062D-4586-8221-8E7870987D5B}\setup.ilg (C:\Program Files\InstallShield Installation Information\{747C231B-062D-4586-8221-8E7870987D5B}\setup.ilg) returning error, 00000005. 
12/21/2007 6:36:53 PM   SYSTEM   1300   Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142. 
12/21/2007 6:36:53 PM   SYSTEM   1300   An error has occured while attempting to update. Please check the logs. 
12/25/2007 10:58:35 AM   SYSTEM   1188   Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142. 
12/25/2007 10:58:37 AM   SYSTEM   1188   An error has occured while attempting to update. Please check the logs. 
12/30/2007 1:21:22 PM   SYSTEM   1128   Sign of "Win32:Zlob-AHS [trj]" has been found in "http://avsmanufacture.com/download.php?id=4170\$INSTDIR\$PLUGINSDIR\barf.dll" file. 

[Lisandro]

You're visiting a site that is infected.
Clean your temporary files and don't go to that site.

[BJS]

OK, Sorry..

[BJS]

Tech,
Does that mean that my PC is not infected? 

[polonus]

Hi BLS,

I think you are not because avast alerted when the trojan wanted to act as it were. But you can see whether your system does not have it using this removal tool, you can download it from here:
http://wirusy.antivirenkit.pl/en/szczepionki/Zlob.html

Run it, and when it says that it has not been found on your computer, you don't have it.

polonus

[Lisandro]

Tech,
Does that mean that my PC is not infected? 

Follow Polonus's advice... on-line scanning with Kaspersky or BitDefender will be good too.

[BJS]

Thanks Polonus and Tech,
I ran the three programs you recomended and I did have a virus (ADWARE.BHO.WQB)
Bit Defender detected the virus but could not disinfect it.
It deleted the virus but the update failed.
What does this mean exactly? 

[CharleyO]

***

Just for information, here are a couple of links for information on avsmanufacture.com ...

http://g.s.scandoo.com/search?hl=en&meta=on&q=avsmanufacture.com

It might be a good idea in the future when you want to visit a site (that you are not already familiar with) to check the site through the use of ScanDoo as I have in the above link.

Below are 2 links I aquired from the search above ...

http://www.trustedsource.org/TS?do=feedback&subdo=query&q=avsmanufacture.com

http://www.trustedsource.org/TS?do=feedback&subdo=query&q=85.255.120.109

The site provides faked video codec where you get a nasty surprise instead.


***

[polonus]

Hi BJS,

Download: RVAXO.exe from here:
http://home.hetnet.nl/~stefsmeenk/RemoveVideoActiveXObject.exe

* Save the file unto your desktop, doubleclick it and choose "Unzip" to unpack it.
* Then a file RVAXO will open unto your desktop and you must doubleclick RVAXO.cmd
*  A cmd-window will open, there you see some sentences about files not found fly by quickly, this is    normal procedures.
* Also an uninstaller for a roque scanner will start up, do not close, follow instructions and/or let it run.
* Now your PC will reboot, after the reboot the cmd-window of RVAXO will open again.
      Let it run and wait for a logfile to open: C:\RVAXO-results.log
* If your computer won't restart on its own, or the tool won't restart after the reboot, manually reboot.
* Post the contents of the logfile in your next posting (or in more postings) together with the contents a HijackThis logfile.


polonus

P.S. RVAXO may be flagged by some av as an intrusion tool shutdown11, but you installed it yourself, so it is not riskware but necessary for cleansing.

Damian

[Lisandro]

Bit Defender detected the virus but could not disinfect it.

You mean the on-line version?
Did you try other antitrojan tools (AVG, SuperAntispyware, SpywareTerminator)?

It deleted the virus but the update failed.

Which update?

[polonus]

Hi Tech,

While he was infected opening a fake codec, and I linked a removal tool for it, I suppose after running the tool his computer should be clean, just wait for the results,

pol

[BJS]

Thanks Polonus

Here are the results of the RVAXO log and below that the Hihackthis log....




RVAXO results:


----------------RVAXO.exe first run-------------
 
Files found:
 
 
Uninstallers Rogue scanners:
 
 
Folders Found:
 
 
Hosts-file was reset, If you use a custom hosts file please replace it...
 
--------------RVAXO.exe last run---------------
 
Files found:
 
Folders Found:
 
--------------RVAXO.exe finished----------------





HIjackthis results:


Logfile of HijackThis v1.99.1
Scan saved at 3:49:26 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/ig?hl=en
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1190079721687
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

[polonus]

Hi BJS,

Everything seems fine now, pre-scan your video codecs in advance using the DrWeb AV hyperlink scanner plug in, from here: http://www.freedrweb.com/browser/
You can use it in IE, FF & Opera browsers. I wish you a malware free 2008,

polonus