Malicious file help

I run Windows XP Media Center, Norton Anti Virus 2005 and Zone Alarm Pro on a P4 with 512MB of ram. I was online at a website and all of a sudden I got multiple warning from Norton Anti-virus 2005 saying that downloader.trojan was blocked. A few seconds after that I get 2 or 3 messages from Zone Alarm asking permission for Loader for you to access the internet. I had never seen it on my pc before so I denied permission. I then went into the Zone Alarm control panel and looked in program control for more info. The only other thing it tells me is that the file name is C:\zdj.exe so I used the kill access setting under program control. I understand it can't access the internet now but it still makes me nervous. It's not listed in the Windows add/remove programs but it does show up when I open My Computer or Windows Explorer and look at the C drive. It just says zdj and has an icon of Montgomery Burns from the Simpsons next to it. #1 Can I remove this in any way? #2 Can I just right click and delete it, or do I need a third party utility? #3 Do I need to not put any more personal or financial info on my computer till this is gone? #4 Do I need to disconnect my modem just to be safe till I can remove it? #5 Anyone have reccomendations for a third party uninstall utility?

 

Sad to see that your first post is about such a problem. But welcome anyway.

The first thing you should do is read the sticky messages posted at the top in the Malware forum and run the programs that are suggested there such as Ad-aware and Spy-bot S&D.

When you've done all that if your nasty file is still there post back and we will help you get rid of it.

Good luck.

 

AGreatCook,

If it's just one file which in this case it may be. If it infected your computer there may be more. Manually locate the file and delete it while holding SHIFT.

Afterwards, follow the steps below and then post your logs and reply in the Malware Forum.

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

 

I have done more searching and still can't find out what this zdj.exe is or does. And to top it off, I just completed (had problems with doing it before) an online scan with Symantec (my anti virus company) and it told me that adj.exe was infected with Trojan.LowZones but it said that it deleted it. However, it also said after it finished that I need to remove it and gave me instructions on how to do so. If it deleted it why do I need to remove it? I hesitate to follow the instructions it gave me because they involves editing in the registry and Win.ini file. I don't want to do this because #1 last time I did any of that (on Symantec's very specific instructions) I had to reload Windows (it was Win98) because it became unusable, and #2 The instructions are incomplete, to edit Win.ini it says "If you are running Win 95/98/ME click Start>Run and then type edit c:\windows\win.ini and then click OK" to do this but it doesn't say what to do if I'm running XP (which I am). How do I start this process? Do I really need to edit the registry, or can I just disable System Restore and then run a scan and delete it that way? If I goof something up in the registry OR win.ini will system restore save me?

 

As previously requested, please follow the required guidelines so we can get your computer clean. That file is most likely malware and should be deleted. Run the steps listed in the READ ME sticky then post your logs to your next post.

Be sure you attach all three logs.

Good Luck!

 

Well it's only my second day as a member and I imagine everyone is allready getting tired of me. While waiting to hear back from the forum (I admit, I tend to be impatient but I'm getting beter at it) I did another complete online scan with Symantec (my anti virus company) and then, as they said, booted in safe mode and ran a scan with my installed Symantec product. Neither scan found anything. After seeing the reply here to delete the file (a file called zdj.exe which Symantec said was infected with Trojan.LowZones) I was going to delete it and run the other instructions posted here, but it is now not there and I can't find a trace of it. I looked in the registry and Win.ini files like Symantec said to do (the other part of the fix they sent me said I may have to edit files in both of those, and I am extremely nervous about that) but nothing was listed anywhere like they said it might be. I understand that this trojan lowers security settings in IE. One of my questions is this, considering all I have done and found out so far, do I still need to perform all the steps (under READ & RUN ME FIRST Before Asking for Support) posted on the forum? I am a little nervous about doing that since it erases my Restore points, what if I have a problem and need to restore? Could it be hiding somewhere and crop up again later? Even though the zdj.exe file seems to be gone, the program (Loader for you) associated with it is still in both my Symantec and Zone Alarm firewall but I have internet access for it blocked on both firewalls. Is this enough to make me safe online once I reset my IE security setting? Is there a thread on the forum that can advise me as to what my IE security settings need to be? Thanks again for all the help.

 

Yes, you need to follow our guidelines and stickies. Please do not run or do anything I do not request so we don't get anything confused.

Now please start by running the READ ME step by step and then attach the logs to your next post.

Your next post should contain three logs, the Bit Defener log, the Panda scan log and a current HJT log.