I have reviewed numerous blogs and made many attemps to remove the win32.Trojandownloader.zlob without success. Ad-Aware Se continues to detect the following:
Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, November 14, 2007 12:44:25 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R202 12.11.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojandownloader.Zlob(TAC index:10):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
11-14-2007 12:44:25 PM - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 156
ThreadCreationTime : 11-14-2007 6:37:10 PM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 212
ThreadCreationTime : 11-14-2007 6:37:19 PM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 236
ThreadCreationTime : 11-14-2007 6:37:21 PM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 284
ThreadCreationTime : 11-14-2007 6:37:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 296
ThreadCreationTime : 11-14-2007 6:37:25 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 488
ThreadCreationTime : 11-14-2007 6:37:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 11-14-2007 6:37:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [aawservice.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware 2007\
ProcessID : 600
ThreadCreationTime : 11-14-2007 6:37:34 PM
BasePriority : Normal
FileVersion : 7, 0, 2, 5
ProductVersion : 7, 0, 2, 5
ProductName : Ad-Aware 2007 Service
CompanyName : Lavasoft AB
FileDescription : Ad-Aware 2007 Service
InternalName : Ad-Aware
LegalCopyright : Copyright © 2007
OriginalFilename : Ad-Aware.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 676
ThreadCreationTime : 11-14-2007 6:37:42 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 936
ThreadCreationTime : 11-14-2007 6:39:00 PM
BasePriority : Normal
FileVersion : 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
ProductVersion : 6.00.2900.3156
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:11 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1516
ThreadCreationTime : 11-14-2007 6:40:35 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:12 [wmiprvse.exe]
FilePath : C:\WINDOWS\system32\wbem\
ProcessID : 1684
ThreadCreationTime : 11-14-2007 6:42:15 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe
#:13 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1808
ThreadCreationTime : 11-14-2007 6:42:54 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}
Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{a95b2816-1d7e-4561-a202-68c0de02353a}
Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{a95b2816-1d7e-4561-a202-68c0de02353a}
Win32.Trojandownloader.Zlob Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment : "{11a69ae4-fbed-4832-a2bf-45af82825583}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {11a69ae4-fbed-4832-a2bf-45af82825583}
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 4
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojandownloader.Zlob Object Recognized!
Type : File
Data : Online Security Guide.lnk
TAC Rating : 10
Category : Malware
Comment :
Object : c:\documents and settings\all users\start menu\
Win32.Trojandownloader.Zlob Object Recognized!
Type : File
Data : tracking.log
TAC Rating : 10
Category : Malware
Comment :
Object : c:\system volume information\
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 6
1:00:02 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:15:37.422
Objects scanned:155215
Objects identified:6
Objects ignored:0
New critical objects:6
Full Version: win32.trojandownloader.zlob
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
Hello.lpso_shannong
Um do you have two Ver of Ad-Aware installed.? If so it would be a good idea to Uninstall the old Ver. Then update the new Ver run a Full System scan, Then post that logfile.
Gogo
Um do you have two Ver of Ad-Aware installed.? If so it would be a good idea to Uninstall the old Ver. Then update the new Ver run a Full System scan, Then post that logfile.
Gogo
Thanks for the response.
I'll get that done.
I'll get that done.
Attached is the log from Ad-Aware 2007 and HiJackThis.
Hey.lpso_shannong
Sorry to say that's not Ad-Aware2007 Free.
Gogo
Sorry to say that's not Ad-Aware2007 Free.
Gogo
Sorry about that, I'm used to Ad-Aware Se.
While waiting for a response to my last post I experimented with some of the more common task that were being conducted in other similar topics. 
The main topic I used for reference was from Zlob/Security Toolbar 7.1.
I downloaded ComboFix.exe from another topic.Infected by Virtumonde and other MRUs-please HELP
Following the configuration from other topics using ComboFix.exe I wrote my own CFScript.txt file. I was able to remove all of the SYSTEM32 .dll's and a "rMa02yy" folder listed in the files created section of the ComboFix log.
After that everything looked clear so I ran Ad-Aware 2007. Ad-Aware 2007 found 3 infections with one being a win32.trojandownloader.zlob identified as "C:\System Volume Information\tracking.log" (Not good but still less then at the beging). I attempted to remove all of the infections with Ad-Aware 2007. After running Ad-Aware 2007 again only the win32.trojandownloader.zlob remained. I ran ComboFix.exe and HiJackThis and everything appeared to be good; however, I don't really know what I was looking for.
I decided that it wouldn't hurt at this point to follow through with the cleanup suggestions made in Zlob/Security Toolbar 7.1. After I preformed Disk Cleanup I turned off my System Restore and restarted my computer. Once my computer restarted I did want to create a new System Restore point until the win32.trojandownloader.zlob infection was removed so I ran Ad-Aware 2007 again. Ad-Aware found one infection and it was a MRU (no more win32.trojandownloader.zlob infections).
I used Ad-Aware 2007 to remove the infection and started another scan and verified that everything was actually clean.
Finally, I got it!
The main topic I used for reference was from Zlob/Security Toolbar 7.1.
I downloaded ComboFix.exe from another topic.Infected by Virtumonde and other MRUs-please HELP
Following the configuration from other topics using ComboFix.exe I wrote my own CFScript.txt file. I was able to remove all of the SYSTEM32 .dll's and a "rMa02yy" folder listed in the files created section of the ComboFix log.
After that everything looked clear so I ran Ad-Aware 2007. Ad-Aware 2007 found 3 infections with one being a win32.trojandownloader.zlob identified as "C:\System Volume Information\tracking.log" (Not good but still less then at the beging). I attempted to remove all of the infections with Ad-Aware 2007. After running Ad-Aware 2007 again only the win32.trojandownloader.zlob remained. I ran ComboFix.exe and HiJackThis and everything appeared to be good; however, I don't really know what I was looking for.
I decided that it wouldn't hurt at this point to follow through with the cleanup suggestions made in Zlob/Security Toolbar 7.1. After I preformed Disk Cleanup I turned off my System Restore and restarted my computer. Once my computer restarted I did want to create a new System Restore point until the win32.trojandownloader.zlob infection was removed so I ran Ad-Aware 2007 again. Ad-Aware found one infection and it was a MRU (no more win32.trojandownloader.zlob infections).
I used Ad-Aware 2007 to remove the infection and started another scan and verified that everything was actually clean.
Finally, I got it!
Hi.lpso_shannong
Nice work But if at some point you feel something is still there post us a log.
Best of luck
Gogo
Nice work
But if at some point you feel something is still there post us a log.Best of luck
Gogo
Thanks 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.