win32.trojandownloader.zlob false positive/causing disconnects?

zeliad · Nov 26, 2006

Hi,

I'm using Ad-aware and every time I check my system with it it shows win32.trojandownloader.zlob infection...over and over again even if Ad-aware fixes this the next scan shows an infection.
Now I don't have any particular problem with it because there are no pop-ups/system slowdown issues with my comp but recently I'm experiencing strange things with my ADSL: the dataflow suddenly stops (it appears to be totally random when) and after 2-3 minutes my connection breaks up and I can't even redial, I have to reboot my modem to be able to reconnect. My ISP says they checked the logs and according to them the modem disconnects are always "called", so there must be a prob with my LAN card. I checked 4 different LAN cards and the issue is still here. Could it be that this win32.trojandownloader.zlob causing the problem?
I did all the steps mentioned in "READ & RUN ME FIRST Before Asking for Support" post and here are the logs you request (except Panda because it didn't offer saving a log...it didn't find anything tho).

Thanks in advance for helping!

Zel

zeliad · Nov 26, 2006

And the remaining logs.

chaslang · Nov 26, 2006

Welcome to Majrogeeks!

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

How are things working now?

zeliad · Nov 28, 2006

Hiya Chaslang,

Unfortunately Ad-aware still detects win32.trojandownloader.zlob after doing the 2 steps you suggested, on the other hand I didn't have the chance to reproduce the net connection brake. Here are the logs.

Zel

zeliad · Nov 28, 2006

...and the others

zeliad · Nov 28, 2006

Ahh nevermind my post it DID clean the malware A lot of thanks to you!

Zel

chaslang · Nov 29, 2006

Well your logs are basically clean but I see some things to fix.

You did not install the proper version of Spybot given in the READ ME. What you are using has not been used in more than two years. You should fix this.

You also need fix a few things with HijackThis but they may not fix since you are running Spybot's Teatimer which we asked you not to run in the READ ME. So uninstall your old version of Spybot and then fix the below.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - (no file)"
O20 - Winlogon Notify: winaqh32 - winaqh32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6

Now install the current version of Sun Java from: Sun Java Runtime Environment

Log in or Sign up

win32.trojandownloader.zlob false positive/causing disconnects?

zeliad Private E-2

Attached Files:

Report-Scan-20061126-100139.txt

bdscan.txt

newfiles.txt

zeliad Private E-2

Attached Files:

runkeys.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

zeliad Private E-2

Attached Files:

rapport step 1.txt

rapport step 2.txt

zeliad Private E-2

Attached Files:

runkeys.txt

newfiles.txt

hijackthis.log

zeliad Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

win32.trojandownloader.zlob false positive/causing disconnects?

zeliad Private E-2

Attached Files:

zeliad Private E-2

Attached Files:

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

zeliad Private E-2

Attached Files:

zeliad Private E-2

Attached Files:

zeliad Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches