Update: 3/4
I've downloaded and installed and run SB S&D, doesn't detect it, nor does Ad-Aware. Bazooka shows that it's active, but the removal instructions are useless because of how the computer is infected. Panda catches a trojan (py.exe = Trj.Small) that is being called from this program, but doesn't disinfect the computer from zzb.exe. Also have downloaded and run hijackthis and there are no references in it that point to any of the files below.
So I've started to document the pathology of this virus/malware.
Symptoms:
Process list shows "zzb.exe" running
Popup application windows reading "dwn", "done", and/or "ibn chris"
Slow searches in IE on Google with irrelevant results (Lots of links to other search engines)
Repeated attempts to access the domain "tool4ame.com"
Known Files associated:
c:\windows\system32\zzb.exe
c:\windows\system32\py.exe
c:\windows\system32\mslib.dat
c:\windows\system32\mslink32.dat
c:\windows\system32\mslink32.exe
c:\windows\system32\mstbl.ocx
c:\windows\msbb.exe
I realize that most of the files above are related to IELoader, but zzb seems to be a autoloader for it.
If I clean the computer of the files above, the app doesn't run at all. But, as soon as I open internet explorer, the files are created. Then when I close an IE window, zzb.exe is run. A "OK" box with the word "dwn" appears, 'x'ed or clicked, the box disapears, and a fiew seconds later another ok box pops up reading "done." When clicked, one more appears reading "ibn chris." Also while executing, it attempts to access "tool4ame.com".
Registry settings are created for the IELoader related files, but none for py.exe or zzb.exe, so I'm having a helluva time finding where it's being called from, which is why I believe it to be an ActiveX control, and it's calling it when IE runs it's cleanup. Another piece of evidence that it is an ActiveX control is that if I disable 3rd party extensions through the Internet Settigns control panel, it is not initialized.
Any thoughts where I can check now?
[update]
Fixed!
Look below for my fix-it script (or click here to go to it)
I've downloaded and installed and run SB S&D, doesn't detect it, nor does Ad-Aware. Bazooka shows that it's active, but the removal instructions are useless because of how the computer is infected. Panda catches a trojan (py.exe = Trj.Small) that is being called from this program, but doesn't disinfect the computer from zzb.exe. Also have downloaded and run hijackthis and there are no references in it that point to any of the files below.
So I've started to document the pathology of this virus/malware.
Symptoms:
Process list shows "zzb.exe" running
Popup application windows reading "dwn", "done", and/or "ibn chris"
Slow searches in IE on Google with irrelevant results (Lots of links to other search engines)
Repeated attempts to access the domain "tool4ame.com"
Known Files associated:
c:\windows\system32\zzb.exe
c:\windows\system32\py.exe
c:\windows\system32\mslib.dat
c:\windows\system32\mslink32.dat
c:\windows\system32\mslink32.exe
c:\windows\system32\mstbl.ocx
c:\windows\msbb.exe
I realize that most of the files above are related to IELoader, but zzb seems to be a autoloader for it.
If I clean the computer of the files above, the app doesn't run at all. But, as soon as I open internet explorer, the files are created. Then when I close an IE window, zzb.exe is run. A "OK" box with the word "dwn" appears, 'x'ed or clicked, the box disapears, and a fiew seconds later another ok box pops up reading "done." When clicked, one more appears reading "ibn chris." Also while executing, it attempts to access "tool4ame.com".
Registry settings are created for the IELoader related files, but none for py.exe or zzb.exe, so I'm having a helluva time finding where it's being called from, which is why I believe it to be an ActiveX control, and it's calling it when IE runs it's cleanup. Another piece of evidence that it is an ActiveX control is that if I disable 3rd party extensions through the Internet Settigns control panel, it is not initialized.
Any thoughts where I can check now?
[update]
Fixed!
Look below for my fix-it script (or click here to go to it)