Zlob.GEN fix, get rid of the virus Zlob.GEN

The virus Zlob.gen has a lot of variants, we are not going to explain each particularity off all his variants but we will show you only section you have to know.

This worm try to communicate with one of this adresses http://nx.51ylb.cn/soft, securitypills.com, http://33.xingaide8.cn, gateow.com, www.gatecb.com and try to download files to the local disk.

This virus change too Internet Explorer's paramters.

Some variants :

• Trojan.DL.Zlob.Gen.34 [PCTools]
• Trojan-Downloader.Zlob.GEN [PCTools]
• Trojan.DL.Zlob.Gen!Pac.45 [PCTools]
• New Poly Win32 [McAfee]
• New Malware.aj [McAfee]
• Puper [McAfee]
• TROJ_ZLOB.TH [Trend Micro]
• WORM_NUCRYPT.GEN [Trend Micro]

Created files :

• <System>\sbsm.exe
• <System>\sbmdl.dll
• <System>\4E17C240.EXE
• <System>\3C7780C0.DLL
• <System>\3C7780C0.DLL (module….)
• <System>\del.bat
• <System>\scm.exe
• <Partition>:\auto.exe
• <Partition>:\autorun.inf

Process in memory

• sbsm.exe
• sbmdl.dll
• 4E17C240.EXE
• scm.exe

Services

• ERSvc (Error Reporting Service)
• F188AD40 (F188AD40)

The registry keys bellow are created or alternated

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}]
• MenuText = IE Anti-Spyware
• Exec = http://www.iefixgate.com/redirect.php
• CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6860A44B-5D3E-433D-A7B5-D517F810D0E7}\InprocServer32]
• (Default) = <System>\sbmdl.dll
• ThreadingModel = Apartment
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6860A44B-5D3E-433D-A7B5-D517F810D0E7}]
• xxx = xxx
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6860A44B-5D3E-433D-A7B5-D517F810D0E7}]
• (Default) = ""

• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
• {9034A523-D068-4BE8-A284-9DF278BE776E} = 0x00002001
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}]
• DisplayName = "Search"
• URL = "http://www.searchinggate.com/index.php?b=1&t=0&q={searchTerms}"
• [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
• DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
start = [directory name.exe]

 

Never, never reply to an application that you have not installed or launched, especially if it's tell you to download another program in the Internet. Here, the virus tell us that our system is probably infected and he try to coax us to download another program to get rid of the virus detected.
PAY ATTENTION.

Never, never, never click on OK.
OK?

Instruction on how to restart your computer in safe mode.