Re: ZZB.exe Is it a virus?

Author	All Replies
Vampirefo Premium,MVM join:2000-12-11 Huntington, WV kudos:1 1 edit	reply to hitachi369 Re: ZZB.exe Is it a virus? It's spyware. it copies itself to System32\zzb.exe adds itself to run then tries to download from »tool4ame.com. SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects new goglue foostringwithmlupd goglue iagold rien error »tool4ame.com/stat2.php?action=ne···ithMLupd ebn criss Goglue key removed done »tool4ame.com/iagold.exe dwn \iagold.exe Identification : Dllpath : Subkey : {1E1B2879-88FF-11D2-8D96-D7ACAC92927F} {1E1B2879-88FF-11D2-8D96-D7ACAC87872F} {1E1B2879-88FF-11D2-8D96-D7ACAC98982F} \InprocServer32 CLSID\ -- Spam Officially Legal
	to forum · permalink · 2004-03-03 11:18:15 ·
interclik join:2002-11-03 Brossard, QC	HELP Tell me how to get rid of this zzb CRAP. I tried the VB script posted and STILL it returns. I tried selective starts (msconfig) and miss it , Thanks. Gil
	to forum · permalink · 2004-03-06 14:22:07 ·
jvmorris I Am The Man Who Was Not There. Premium,MVM join:2001-04-03 Reston, VA	What I'm reading is that it also copies itself to randomly named files and leaves registry entries behind. That's all I know about it at the moment. -- Regards, Joseph V. Morris
	to forum · permalink · 2004-03-06 14:35:10 ·
Zupe Premium,MVM join:2001-11-29 New York, NY 1 edit	reply to interclik This one is showing up in about half the Hijack This logs I've seen of late. It's fairly easy to get rid of, but I'll need to see a Hijack This log. Please download Hijack This from here: »www.computercops.biz/downloads-file-328.html . Unzip the files to an actual directory (ex. C:\HJT) then run Hijack This. On the opening screen, click the scan button, then choose save log file, save it somewhere, open the log file with a text editor and copy and paste the contents here. -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"?
	to forum · permalink · 2004-03-06 15:00:55 ·
interclik join:2002-11-03 Brossard, QC	Zupe here is my logfile... Logfile of HijackThis v1.97.7 Scan saved at 5:42:29 PM, on 3/6/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\lexbces.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\LEXPPS.EXE C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE C:\Program Files\The Cleaner\tcm.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe C:\WINDOWS\System32\LXSUPMON.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\MESSEN~1\MSMSGS.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Maximizer\MxFinder.exe C:\Program Files\Maximizer\MxAlarm.exe C:\QUICKENW\QWDLLS.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\hj\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »interclik.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »www.interclik.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:14000 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = »interclik.com/ R3 - Default URLSearchHook is missing O1 - Hosts: 209.68.60.180 www.interclik.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {AD1ACCE6-4D2B-6D0F-ECD2-DC3DCCBB60B5} - C:\WINDOWS\system32\iowdnrgq.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [EPSON Stylus C42 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P32 "EPSON Stylus C42 Series (Copy 1)" /O6 "USB001" /M "Stylus C42" O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe O4 - HKLM\..\Run: [iobhqqxv] C:\WINDOWS\zvdpfvbz.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [aqbvvcap] C:\WINDOWS\System32\wzwbidyo.exe O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" /background O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTrace Express\NTXcontext.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Documents Expert (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O9 - Extra button: NeoTrace It! (HKCU) O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll O16 - DPF: HushEncryptionEngine - »mailserver1.hushmail.com/shared/···gine.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - »office.microsoft.com/officeupdat···opuc.cab O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - »download.solitaire.com/download/···aire.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···21990741 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - »download.microsoft.com/download/···radj.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7A344654-2998-4861-87F3-0AD22E23F3CC}: Domain = istop.com
	to forum · permalink · 2004-03-06 17:44:07 ·
Zupe Premium,MVM join:2001-11-29 New York, NY	said by interclik: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {AD1ACCE6-4D2B-6D0F-ECD2-DC3DCCBB60B5} - C:\WINDOWS\system32\iowdnrgq.dll O4 - HKLM\..\Run: [iobhqqxv] C:\WINDOWS\zvdpfvbz.exe O4 - HKLM\..\Run: [aqbvvcap] C:\WINDOWS\System32\wzwbidyo.exe O16 - DPF: HushEncryptionEngine - »mailserver1.hushmail.com/shared/···gine.cab O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - »download.solitaire.com/download/···aire.cab Given your user name, I assume all the INterclik items are legitimate What about this one? O17 - HKLM\System\CCS\Services\Tcpip\..\{7A344654-2998-4861-87F3-0AD22E23F3CC}: Domain = istop.com With all browser windows closed, rescan with Hijack This, put a check next to the items I quoted above and click "Fix checked" (if the istop.com entry isn't legit, fix that one as well). Reboot, scan again with Hijack This and post a new log here. -- Brain: Pinky, are you pondering what I'm pondering? Pinky: I think so, Brain, but "Snowball for Windows"?
	to forum · permalink · 2004-03-06 20:24:14 ·
nainai @dsl.pltn13.pacbell.n	hayY!! i have that bulltwinkie on my computer too!! HELP!!!!! nailovesya@hotmail.com, if i could get some assistance with this rediculous pop up krap windows that zzb.exe keeps shoveling down my neck, it would be greatly appreciated! thanks.
	to forum · permalink · 2004-03-07 00:43:55 ·

Broadband Tech > Security > Security > ZZB.exe Is it a virus?