WTF is zzb.exe - it is a newer trojan/adware "ADWARE-AGold.dldr", but antiviruses are failing [updated AGAIN WITH FIX]

Beau

Lifer
Jun 25, 2001
17,730
0
76
www.beauscott.com
Update: 3/4

I've downloaded and installed and run SB S&D, doesn't detect it, nor does Ad-Aware. Bazooka shows that it's active, but the removal instructions are useless because of how the computer is infected. Panda catches a trojan (py.exe = Trj.Small) that is being called from this program, but doesn't disinfect the computer from zzb.exe. Also have downloaded and run hijackthis and there are no references in it that point to any of the files below.

So I've started to document the pathology of this virus/malware.

Symptoms:

Process list shows "zzb.exe" running
Popup application windows reading "dwn", "done", and/or "ibn chris"
Slow searches in IE on Google with irrelevant results (Lots of links to other search engines)
Repeated attempts to access the domain "tool4ame.com"


Known Files associated:
c:\windows\system32\zzb.exe
c:\windows\system32\py.exe
c:\windows\system32\mslib.dat
c:\windows\system32\mslink32.dat
c:\windows\system32\mslink32.exe
c:\windows\system32\mstbl.ocx
c:\windows\msbb.exe

I realize that most of the files above are related to IELoader, but zzb seems to be a autoloader for it.

If I clean the computer of the files above, the app doesn't run at all. But, as soon as I open internet explorer, the files are created. Then when I close an IE window, zzb.exe is run. A "OK" box with the word "dwn" appears, 'x'ed or clicked, the box disapears, and a fiew seconds later another ok box pops up reading "done." When clicked, one more appears reading "ibn chris." Also while executing, it attempts to access "tool4ame.com".

Registry settings are created for the IELoader related files, but none for py.exe or zzb.exe, so I'm having a helluva time finding where it's being called from, which is why I believe it to be an ActiveX control, and it's calling it when IE runs it's cleanup. Another piece of evidence that it is an ActiveX control is that if I disable 3rd party extensions through the Internet Settigns control panel, it is not initialized.

Any thoughts where I can check now?

[update]

Fixed!


Look below for my fix-it script (or click here to go to it)
 

Beau

Lifer
Jun 25, 2001
17,730
0
76
www.beauscott.com
Seriously? I've downloaded hijackthis and removed all registry entries pointing to it... I've scanned my hard disk to get rid of it, Adware doesn't pick it up, Panda AV doesn't pick it up.
 

Beau

Lifer
Jun 25, 2001
17,730
0
76
www.beauscott.com
Originally posted by: Pepsi90919
a virus, dumbass?

no crap asshole.
rolleye.gif
Which is why I'm trying to get rid of it.
 

Cougar

Golden Member
Feb 26, 2000
1,761
0
0
Originally posted by: Beau
Seriously? I've downloaded hijackthis and removed all registry entries pointing to it... I've scanned my hard disk to get rid of it, Adware doesn't pick it up, Panda AV doesn't pick it up.


Have you tried running Spybot Search and Destroy? It might not hurt to run another program to pick up the stuff that Ad-Aware missed. Also, if that doesn't work then maybe try turning up your virus/firewall settings?
 

Beau

Lifer
Jun 25, 2001
17,730
0
76
www.beauscott.com
Originally posted by: Cougar
Originally posted by: Beau
Seriously? I've downloaded hijackthis and removed all registry entries pointing to it... I've scanned my hard disk to get rid of it, Adware doesn't pick it up, Panda AV doesn't pick it up.


Have you tried running Spybot Search and Destroy? It might not hurt to run another program to pick up the stuff that Ad-Aware missed. Also, if that doesn't work then maybe try turning up your virus/firewall settings?

Search and Destroy doesn't catch it, ad-aware doesnt' catch it. Bazooka reports it, but the removal instructions don't work (just comes back again). My firewall is locked down.

GRRRRR!!!!
 

aircooled

Lifer
Oct 10, 2000
15,965
1
0
Use M4H's link to manually remove it.
I regularly check my registry for auto-starting programs no matter what the 'spyware removers' and antivirus programs say.
 

Ausm

Lifer
Oct 9, 1999
25,213
14
81
Sounds like a nasty backdoor Trojan similar to one I got off IRC. I tried everything but I was fvcked...:( Format C kicked it's ass
:D


Sysadmin
 

Beau

Lifer
Jun 25, 2001
17,730
0
76
www.beauscott.com
Originally posted by: aircooled
Use M4H's link to manually remove it.
I regularly check my registry for auto-starting programs no matter what the 'spyware removers' and antivirus programs say.

As I said, I tried the manual method, but it doesn't work because it's not just being loaded throught the registry.
 

Beau

Lifer
Jun 25, 2001
17,730
0
76
www.beauscott.com
Originally posted by: Sysadmin
Sounds like a nasty backdoor Trojan similar to one I got off IRC. I tried everything but I was fvcked...:( Format C kicked it's ass
:D


Sysadmin


I really would like to avoid it.

Is there a way to list all registered ActiveX Components and their related files?
 

Farfrael

Senior member
Mar 6, 2002
312
0
0
Don't know how to get rid of it ...
But once you do you might want to try Firefox or Mozilla
 

XZeroII

Lifer
Jun 30, 2001
12,572
0
0
check your IE file. Make sure it wasn't replaced, or that your shortcuts are going to the right place.
 

Ness

Diamond Member
Jul 10, 2002
5,407
2
0
Originally posted by: Beau
Originally posted by: aircooled
Use M4H's link to manually remove it.
I regularly check my registry for auto-starting programs no matter what the 'spyware removers' and antivirus programs say.

As I said, I tried the manual method, but it doesn't work because it's not just being loaded throught the registry.

Go to Start >> Run >> type "MSConfig" and click the startup tab. Somewhere under there, you should see a lauch program. turn it off and it can't open. As per the instructions on the link M4H gave, there is no point where you actually prevent it from running at startup... so it's constantly running everytime you think you make changes and updating itself. Make sure before you turn it off that you hit CTRL+ALT+DEL and kill the process for the program if it is currently running.

If this solution doesn't work, it's possible that you've picked up some variation of it where the file names are different.
 

Ausm

Lifer
Oct 9, 1999
25,213
14
81
Originally posted by: Beau
Originally posted by: Sysadmin
Sounds like a nasty backdoor Trojan similar to one I got off IRC. I tried everything but I was fvcked...:( Format C kicked it's ass
:D


Sysadmin


I really would like to avoid it.

Is there a way to list all registered ActiveX Components and their related files?


Good Question1 i will try to locate one for you.

Sysadmin
 

Cougar

Golden Member
Feb 26, 2000
1,761
0
0
Originally posted by: Beau
I really would like to avoid it.

Is there a way to list all registered ActiveX Components and their related files?


I don't know if this will help, but if you go to Internet Options then click on Settings underneath Temporary Internet Files and finally click on View Objects you'll get a list of installed components (shockwave, activeX etc...). For example in mine I have a few entries and if I view the properties of any of them it will tell me what kind of file it is (they all say activeX Control for me) and then it will tell you what files the activeX control depends on.

I have no idea if that will help you at all but maybe it can lead you in the right direction.