Zlob VirusProtectionPro Trojan not detected.

Infected by this little baddie tonight… Obviously being and idiot trolling porn on the web. Was infected with zlob which antivir picked up but not removed. No detection with Spyware terminator quick scan. Some detection with Spybot but only partially. Used SuperAnti-spyware on-demand scan to remove in the end. SuperAnti-spyware detected and removed two Zlob.Trojan entries in memory and subsequently removed them. Any ideas why CBOC didn’t detect / Remove? Zlob is covered in CBOC Malware Covered Listing.

I didn’t retain file so unable to submit to Comodo.


do you know how to go back to where you got the zlob infection? do you have the log from SAS, showing what it flagged?

what other programs did you have running in realtime, along with BOC?

i think that programs like “prevx” and “a-squared” can interfere with programs like BOC, preventing them from functioning as they should… if you had something like “prevx” running, that might have prevented BOC from flagging “zlob”, running in memory…

on the other hand, maybe “the comodo team” failed to add detection for the zlob variant that you had and so BOC failed to flag it… (if SAS was able to flag “zlob” in memory, BOC also should have been able to flag it in memory, imo)…

I’m sure I could find the site again… Security software I run is:

Comodo Firewall
Comodo BoClean
Antivir Personal Edition Premium
Spyware Terminator with HIPS enabled.
Crawler Web Security Guard Toolbar

Antivir picked up part of the program which I told it to remove but the installation of the Viewer ActiveX continued to install which in turn put two website links on my desktop and a Flashing shield in my system tray. WHenever you clicked on the shield it opened the page (www.virusprotectionpro.com) a known virus/spyware site. Be very careful if you go there!


well, if you can figure out where you got the zlob thing from (i know it installs when installing a “viewer”), give me the link… you can send it to me in a pm, if you don’t want to post it…

i am not an “expert” (unfortunately), but i will see what i can do if you can give me a link to the source of the malware…

i think it is possible that “spyware terminator” interfered with BOC’s functioning properly, if it was running in realtime… you could try testing, to see, testing BOC with GRC’s “leaktest”, and see if BOC can handle it properly…

send me a link to the source of the zlob thing that you got, if you can…

I hate to say this (I am a BOClean fan)… But I have witnessed several occaisions where Zlob flew right past BOClean… I am hoping to see this fixed in the future… But as of right now… I don’t think BOClean is sufficient protection against Zlob…

As a side note there are many sites, some legitimate, that get infected by Zlob, including for example Wfaa.com (a local TV station in Dallas Tx) was recently infected by a banner ad.

Boys, remember that it is important that if you find ( new ) malware samples you :

  • email them to: malwaresubmit [ at ] avlab.comodo.com .
  • and also to : bocleansubmissions [ at ] comodo.com .
  • zip and password protect them with “infected” and include that information in the body.

Greetz, Red.

Since I never get infected… (:NRD) I’ll get the next user I have with Zlob to do just that…

Sorry for bumping this back up but just wanted to mention a couple things. Awhile back even before this I posted about Boclean being disabled by A zlob that carried (was it Winfixer/spyaxe?) payload with it. Nothing much was said by anyone at comodo other than some friendly banter that ensued on thread (Alot of it is my fault as usual :P) Anyway I did clean that up with superantispyware and had been testing it on test machine… Just wanted to mention that alot of Antivirus programs failed to recognize these Zlob files. I know this because I sent in quite a few that NO product on the virustotal list had a definition for. So anyway, no one should give boclean a hard time about this because I dont know of many products that actually detected this while it was being downloaded (automatically via stinkin IE. browser) Don’t use IE… Could say don’t do alot of other things that are supposed to be obvious security hazard prevention measures. hehe