explorer.exe infected with a variant of Win32/spy.zbot.ZR

[duijv023]

Hi
On a customer's PC Eset NOD32 V4.2.71 is detecting this now and then in startupscanner (unable to clean).
A full scan often does not find/clean it. Is there a removal tool available that i can advise to use?

Greetings from Holland

[Dark Shadow]

Just a suggestion,why not update to version 5 0.95 and go from there.Try to remove it in safe mode maybe your best bet.

[duijv023]

the reason i did not do is beacause it is a Business edition (there is no v5 available, only RC endpointsecurity)

[Dark Shadow]

Quote:

Originally Posted by duijv023

the reason i did not do is beacause it is a Business edition (there is no v5 available, only RC endpointsecurity)

I see.

[Rusty_Shackleford]

I would boot the computer into safe mode with networking and run an ESET On-demand Scan:

http://www.eset.com/us/online-scanner/

if that doesn't work then you may want to run TDS Killer from kaspersky:

http://support.kaspersky.com/faq/?qid=208283363

[Marcos]

Wasn't it detected during a memory scan? Please copy & paste the appropriate record from the Threat log here.

[duijv023]

Unfortuately I only have access to ERAC at this moment.
There I see:

Column Name Value
Threat Id Threat 1103
Client Name ######
Computer Name ######
MAC Address 0019d1a990aa
Primary Server ######
Date Received 2012-04-22 16:25:26
Date Occurred 2012-04-22 16:21:21
Level Critical Warning
Scanner Startup scanner
Object file
Name Operating memory » explorer.exe(30
Threat a variant of Win32/Spy.Zbot.ZR trojan
Action unable to clean
User
Information
Details Ready


Column Name Value
Client Name ######
Computer Name ######
MAC Address 0019d1a990aa
Primary Server ######
Domain ###.###
IP 192.168.1.27
Product Name ESET NOD32 Antivirus BUSINESS EDITION
Product Version 4.2.71
Policy Name Default Primary Clients Policy
Last Connected 2012-05-01 13:10:38
Protection Status Text
Virus Signature DB 7100 (20120501)
Last Threat Alert a variant of Win32/Spy.Zbot.ZR trojan
Last Firewall Alert
Last Event Warning
Last Files Scanned
Last Files Infected
Last Files Cleaned
Last Scan Date
Restart Request
Restart Request Date
Product Last Started 2012-04-27 09:09:19
Product Install Date 2008-06-17 10:01:13
Roaming User
New Client Yes
OS Name Microsoft Windows XP 5.1.2600 Service Pack 3
OS Platform Microsoft Windows
HW Platform 32-bit
Configuration Ready (2 hours ago)
Protection Status Ready (3 days ago)
Protection Features Ready (14 months ago)
System Information Ready (2 hours ago)
SysInspector No Data
Custom Info
Comment


In a few days, I hope to be onsite again

[Marcos]

Try running a scan with sig. db 7104. If it's still detected only in memory, it will be necessary to create a SysInspector log and check it for suspicious files. Also a complete memory dump of explorer.exe (PID 308) and submitting it to the ESET viruslab along with the ESI log might help determine the malicious file.