Win 32 Zbot-ALY [Trj] found in 2 places today

on my computer. Locations are C:\documents & settings, my name\desktop

other is @ C:\System Volume Information\restore .
There’ s a lot of other numbers and stuff but can’t seem to copy and paste in order to give it all to you here and I don’t know the how to do the “hijack this” stuff, or whatever. ( am pretty much computer challenged here )
Avast only gave me the option to put it in the virus chest when it found them, which I did. Now whadda I do ?
Do I need to go into my system restore and get rid of old points and make new ones, etc? Is that a risky procedure in anyway at all ?

ALSO, when checking on the properties of these two in the chest I see where the " last modification time" ( " last changed" per the info. line before I click on " properties" of these two ) was a little over a month ago on these two items, does that mean they’ve been in my computer since then ?

Please help me in as simplest terms as possible and what does this trojan do to one’s puter ? ???

:slight_smile: Hi :

Trojans ( “Trj” ) are best dealt with by antiSPYWARE/antiTROJAN program(s);
do you have any of these “types” of programs on your computer ? IF NOT,
I recommend you try the FREE Version of ‘SUPERAntiSpyware" from
www.superantispyware.com and/or the “FREE” Version of "Malwarebytes’
Anti-Malware", most easily downloaded from
www.malwarebytes.org/mbam.php . I use BOTH on my computer .

great advice Spritsongs
OP
WITH MBAM click REMOVE- it will make a copy in quarantine
I’d run BOTH
post the logs please
you can also rt click Avast ball and click update>program
then rt click the Ball and “schedule boot time scan”
reboot
post log if any hits

the date is more likely when they were created- hard to tell
do not fool with restore points now
let’s get clean first

Thanks guys for your help . Yes, I use spy sweeper on all my computers and udate that and avast religiously.
I did install and run the SAS after doing some reading here and it found one item, adware tracking cookie in C:\documents and Settings\my name\cookies\myname@msnservices.112.2o7[1].txt
It’s quarantined for now , all I know to do.
wyrmrider , I cannot seem to get to the schedule boot time scan per your directions, not an option. I use the free version 4.8 home edition, perhaps that’s why?

Yes, lets get clean ! ::slight_smile:

I also just realized I did not have my VRDB generator enable, darnit ! Maybe I could’ve fixed these little monsters if I had realized that before now. Instead, all I could do was slam them into the virus chest. Is my computer still " sick" even though the trojans are there now?

Am on another computer for now, scared to use the infected one until I can find out just what I need to do to totally clean it up .

see:
http://www.siteadvisor.com/sites/spywareadvancedscanner.com/postid?p=1001235

This your thread??
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsxp.general&tid=ca172fcc-3b7a-423b-ab32-2ad173752ed9&cat=&lang=&cr=&sloc=&p=1
Did the windows live one care scan show anything?
did you run the raymond AV scan- what did it show?

do not worry about anything in chest or quarantine or cookies- just leave em alone
do notworry about restore points at this time- that’s one of the last things to do
BTW what did your spysweeper scan show?
another poster just reported that spysweeper found hits that spyware doctor missed
go figure

on scheduled scans - what is your os?
if W98 or 64 bit (Vista) scheduled scans is blanked out
you can try and run in safe mode
if W2k or XP or 32bit Vista then Rt click on the ball and noodle around

Now What exactly are we looking for? What exactly did you find and where
What’s all this fuss all about anyway :slight_smile:
I can’t see your whole first post- did you post up the whole path to whatever it was?
is the one in the post title the only one and only on desktop?

I would like to see one clean AV scan and one Clean Antispyware scan
do try the MBAM scans if you have time
Quite frankly if this is the AV2008 infection MAlwae Bytes Anti Malware and Rogue Remover
are best- run both of them
however you may already be clean or this may be a new version- Can’t tell yet

meanwhile- not to worry- you’re doing fine
If you have followed all the instructions you are down to PA Bears recommendations

Hey wyrmrider , down at the bottom of the McAfee site you left here it says the below : is that thing there safe to use? ???

“”"This site is linked to from another known-malicious site:

BLOCKEDhttp://blazervips.com/soft.php

Additionally, at least one confirmed malware site, onlysecuretools.com, redirects to the blazervips.com URL above, which in turn redirects to this domain. “”

In any event,

Yes, that was my thread and not sure why you could not see all my OP but no, I did not post the path just the info. I have from the virus chest in my avast, per the properties there . I just manually typed it in .
Spysweeper is finding nada, has found nada in a long time, at first it found stuff, now nada. Beginning to wonder if it’s as decent program as it touted to be after all ?
I don’t know how to capture and post the " paths" so I just typed what I found in my virus chest which avast said this trojan was found in the two places as I stated both here and at Microsoft which is as follows: Locations are C:\documents & settings, my name\desktop

other is @ C:\System Volume Information\restore .

Same Trojan in both places , it says.

Didn’t run onecare for was not sure if I should do the “full service scan”, don’t wanna go and possibly get into something that I wouldn’t know how to fix-or back out of- if I don’t know what to do with it?!

How do I go about showing you the clean AV scan and a clean antisypware scans, can you come over to my house and take a peek, lol . Pa Bear confuses me with all the links he leaves, too much !! However, they all are a big help there, as you are to me here, thanks much !

Oh, I did “noodle” around ( XP here) and found how to schedule a boot time scan with avast, via the simple user interface menu.
It found 3 corrupted files but I don’t wanna type all that in here, so~~~how may I share that info. with you after I run it again ? Again , you wanna come over to my house ? :slight_smile:
I can tell you two of them for sure . A CAB archive is corrupted as is an OLE Archive . Lost the third one after I had to get up and leave the puter right as it was finishing. Got back and boom, the screen was gone and back to my desktop theme.

Mcafee site advisor does not like “spywareadvancedscanner.com
so let’s not go there or to onlysecuretools.com or blazervips.com/soft.php

let’s not worry about things in restore for now

put whatever avast finds in the chest- do not remove/delete
Create a folder C:\suspicious
copy each item from the chest into C:\suspicious
go online to “virus total”
use the upload function to navigate to your C"\suspicious
post a link to the results
I’ll see them there :slight_smile:

you can safely run windows defender- quarantine if it finds anything
live one care do not install the AV -I’ve never used it- lol

the best first scan for the XP-antivirus is Malware Bytes Anti Malware
can you get to it, update, run a scan and click REMOVE?

be back later

Hey wyrmrider ,

Goodness, you’re better’n snuff. :wink:

Now, I am assuming I am to make a new folder in say " my documents", -is that what you’re saying ?
Just wanna be sure I’m on the right track here because to rename the folder it won’t let me use : and so forth, I just have to call it csupicious.

If so~~ “can do” that but, to put those things there, is that safe? I mean, I have those buggers quarantined, will this move/copy them outta there into that folder and infect my documents or whatever?! Sorry if that seems like a totally dumb question but inquiring minds wanna know. ::slight_smile:

And, is this the right place to go? http://www.virustotal.com
can you double check the validity of it for me, purty please?

I don’t have defender on here but can get it downloaded, sheeze-just what I need, more " stuff" on this machine, lol.
I guess I can get to Malware Bytes, will try for sure.

wyrmrider ,

I’m playing around in my virus chest and right clicked on those little buggers and scanned, here’s what it showed after I went into " detailed" info. , does that help any ?

Also, there is an option when right clicking on them to " extract". IF I want to put these in a folder, is that what I do, click “extract” on these viruses and extract them to the folder ?!

bugger #1

Scanning of selected files

Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp266961467.tmp
FileID: 0000000007 Original file name: C:\System Volume Information_restore{C9C182C4-D590-4CAA-9EE2-EA724CBA286C}\RP516\A0160301.exe New folder: C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp266961467.tmp\7.exe

Scan files in the temporary folder: C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp266961467.tmp
C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp266961467.tmp\7.exe Win32:Zbot-ALY [trj]

Action was completed successfully!

bugger #2.

Scanning of selected files

Program will try to scan 1 selected file(s) in the Chest

Move files to temporary folder: C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp174059091.tmp
FileID: 0000000006 Original file name: C:\Documents and Settings\myname\Desktop\XPAinstall_880385.exe New folder: C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp174059091.tmp\6.exe

Scan files in the temporary folder: C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp174059091.tmp
C:\DOCUME~1\myname\LOCALS~1\Temp_avast4_\unp174059091.tmp\6.exe Win32:Zbot-ALY [trj]

Action was completed successfully!

I’m to old for this

You can create your “suspicious” folder anywhere you want where you will remember where it is
I was trying to suggest going to the root folder C:\ and creating it there giving C:\suspicious
but -whatever

now copy - do not move- from the chest to your new folder
there will still be a copy in the chest

http://www.virustotal.com looks good
now go to online to the virustotal website and use the uplink tool there to navigate to your new folder or to the file in temp if you can find it
whichever way you do it upload those files to virus total and post links to the answers here

The extract is more useful when sending files to avast- good to know how if you ever need to

do the MBAM I was just thinking you might already have windows defender or spybot or something

get that MBAM log posted
remember to Click REMOVE

Create a folder C:\suspicious copy each item from the chest into C:\suspicious go online to "virus total" use the upload function to navigate to your C"\suspicious post a link to the results

I think you fail to grasp the full reasons for creating another folder:

  1. even a virus in a different location to the original is still a virus, but it is effectively inert as there is no command/registry entry to run it.
  2. avast could still alert when you copy files to this temporary location and possibly block the upload to virustotal.
  3. that is why we exclude the newly created temporary folder (of whatever name you choose) so that it allows it to be uploaded with no chance of avast intervention.
  4. the exclusion also stops avast detecting it again in future scans whilst you await the outcome if you have sent a sample to avast for investigation. Saves having to delete from suspect folder immediately after upload.

Which is why I suggest doing it this way (the folder name is up to the user):

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the [b]Standard Shield, Customize, Advanced, Add[/b], type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

ok, thanks guys. David, it took me a while to “noodle” around in avast but I figured out what you were talking about. Sorry but am kinda new to avast, fairly new program for me here. All this is frustrating me for I am computer inept also, sure doesn’t help the situation.

wyrmrider, I’m so sorry, I know I must be driving you crazy with all this ! You have been so attentive, I cannot thank you enough ! BTW, I cannot get MBAM to work, it seems to download but when I go to run it it says the setup files are corrupted and to obtain a new copy of the program, got me ?!

In any event,
let me be sure I totally understand this new folder stuff. For example, I have existing folders in “my documents” now and when I right click on them and check properties the location of each one says:

C:\Documents and Settings\my name \My Documents.

SO~if I put this suspicous folder in my “my documents”,
that will suffice ? Is being in “my documents” considered being in my root folder or would I need to go to drive C and create it there in order for the new folder to be root folder ? Sorry if that sounds like a totally dumb question ( cause I think wyrmrider pretty much explained that ) but am walking on eggshells here, if you will. ( I need computer 101 here, lol )
And
do I export those the files from the chest by clicking on "extract " and will it give me the option to put the files in that new suspicious folder ? I don’t have a “copy to” choice in my virus chest options.

Personally I would keep it out of the My Documents folder as this is a somewhat different folder. Yes you want the folder to be a sub folder of the root C:\ folder - Using Explorer click on the C:\ folder, at the top of the page, File > New > Folder and type the name you wish to give the new folder.

Clicking on extract (is a copy file, not move or delete from the chest) will pop-up an explorer like interface to navigate to the C:\Suspect folder you created.

Remember you will need to exclude that folder when you create it before extracting the file copy from the chest.

Thank you David for the further explanation. I’m pretty sure I understand how to go about this now and will try later.

For now I finally got MBAM to load so am working with that at the moment.

You’re welcome, let us know how you get on.