Jump to content
datasafe

ZLOB Detected by SpyHunter

Recommended Posts

Hi guys

I've been using SAS for a month or so now. One of my friends downloader SpyHunter and ran it on his PC - quite a few trojans were detected and of course he paid up and cleared them.

Tonight, I downloaded a trial copy of SpyHunter, updated the 'definitions' and did a scan, I was quite alarmed when I was presented with the following results!

ZLOB.jpg

Is this a scam to get one to pay for the software? If not, why hasn't this been dealt with by SAS?

Cheers

John

Share this post


Link to post
Share on other sites

Geez, that was a quick reply!

Another screen grab showing the problem lies in the registry keys

ZLOB2.jpg

I'm always suspicious when problems are detected by one spyware software and not by another, that's why I decided to post.

The reason I tried out SpyHunter this evening was because I discovered my root directory of C:\ contained hundreds of empty folders that just appeared! Each empty folder appears to have the name of folders I store in My Documents. I was also presented with an error message on boot-up that stated something like: A folder named C:\Program might cause a problem, rename or ignore. Took me quite some while to delete all the empty folders - now in the recycle bin, just in case!

Here's the last scan results, just a few cookies:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 06/23/2009 at 06:55 AM

Application Version : 4.26.1004

Core Rules Database Version : 3951

Trace Rules Database Version: 1893

Scan type : Complete Scan

Total Scan Time : 02:40:13

Memory items scanned : 1138

Memory threats detected : 0

Registry items scanned : 8315

Registry threats detected : 0

File items scanned : 114227

File threats detected : 6

Adware.Tracking Cookie

C:\Documents and Settings\John Cooper\Cookies\john_cooper@atdmt[2].txt

C:\Documents and Settings\John Cooper\Cookies\john_cooper@adbrite[2].txt

C:\Documents and Settings\John Cooper\Cookies\john_cooper@media6degrees[1].txt

C:\Documents and Settings\John Cooper\Cookies\john_cooper@mycounter.tinycounter[1].txt

C:\Documents and Settings\John Cooper\Cookies\john_cooper@hotlog[1].txt

Trace.Known Threat Sources

C:\Documents and Settings\John Cooper\Local Settings\Temporary Internet Files\Content.IE5\OR9UX6PK\virusremoverprofessional_pic1[1].png

Share this post


Link to post
Share on other sites

I also got a Zlob.HTML adware/spyware the other day. Superanti... didn't find it, but another free download caught this trojan horse. I have been trying to figure this out for 3 days, but to no avail thus far. I knew I was affected/infected because my homepage changed. My modem lights -which have 8 led lights- went down to 2 that were lit once I was infected. I now have my homepage and modem lights back, but every time I run Superanti... the infected files are still return.

Here they are: Generated 06/24/2009 at 01:49 PM

Application Version : 4.26.1006

Core Rules Database Version : 3954

Trace Rules Database Version: 1896

Scan type : Quick Scan

Total Scan Time : 00:02:48

Memory items scanned : 575

Memory threats detected : 0

Registry items scanned : 501

Registry threats detected : 8

File items scanned : 1988

File threats detected : 1

Adware.Tracking Cookie

C:\Users\Edmonds\AppData\Roaming\Microsoft\Windows\Cookies\edmonds@maxis.112.2o7[1].txt

Rogue.AdwareAlert

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\DefaultIcon

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\Shell

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\Shell\Open

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\Shell\Open\Command

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\ShellFolder

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\ShellFolder#Attributes

HKCR\CLSID\{755C6BC2-A679-4025-84D3-4AE283A87B14}\ShellFolder#WantsFORPARSING

I didn't run it all of the way through because this is all that shows up. I am at my wits, or lackthereof, :roll: end with this little virus or whatever it is. Please help... Thanks in advance... After the other Free adware caught it, then Superanti... did get the above. Whether this is related I have no clue- :idea: . Peace...

Share this post


Link to post
Share on other sites

"Are they all in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains?"

It appears they are! And I don't visit porn sites either ;)

John

Share this post


Link to post
Share on other sites

Ok, I ran a System Restore and then I only had 1 Rogue, and also deleted my IE 8 and then redownloaded it. I ran the Superanti... and it was totally free of anything.

So far so good... Only time will tell, but I will keep you informed if something pops back up. Thanks Tons... :D

Share this post


Link to post
Share on other sites
Ok, I ran a System Restore and then I only had 1 Rogue, and also deleted my IE 8 and then redownloaded it. I ran the Superanti... and it was totally free of anything.

So far so good... Only time will tell, but I will keep you informed if something pops back up. Thanks Tons... :D

My 15-year-old thought he was clever once and entered a few porn sites. My computer was loaded with trouble, and I snapped at him for this. Do not ever enter those sites because even suppsoed legit sites may be hacked. Just my 2 cents on this.... :lol:

Share this post


Link to post
Share on other sites

I bet you all have Spybot active and you have activated "Immunize" in Spybot. SpyHunter has picked up the registry keys that Spybot has put there to protect against those sites. If you want to prove it "undo" the immunization and run SpyHunter again, and they will not be there.

Share this post


Link to post
Share on other sites
I bet you all have Spybot active and you have activated "Immunize" in Spybot. SpyHunter has picked up the registry keys that Spybot has put there to protect against those sites. If you want to prove it "undo" the immunization and run SpyHunter again, and they will not be there.

This is exactly right - either SpyBot or SpywareBlaster's immunize feature will add thousands of domains to the ZoneMap area of the registry. SpyHunter is not looking if they are blocked or allowed - it's simply detecting them because they are there. No need to submit a support request.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×