explorer.exe infected with a variant of Win32/spy.zbot.ZR

Discussion in 'ESET NOD32 Antivirus' started by duijv023, Apr 25, 2012.

Thread Status:
Not open for further replies.
  1. duijv023
    Offline

    duijv023 Registered Member

    Hi
    On a customer's PC Eset NOD32 V4.2.71 is detecting this now and then in startupscanner (unable to clean).
    A full scan often does not find/clean it. Is there a removal tool available that i can advise to use?

    Greetings from Holland
  2. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Just a suggestion,why not update to version 5 0.95 and go from there.Try to remove it in safe mode maybe your best bet.
    Last edited: Apr 25, 2012
  3. duijv023
    Offline

    duijv023 Registered Member

    the reason i did not do is beacause it is a Business edition (there is no v5 available, only RC endpointsecurity)
  4. Dark Shadow
    Offline

    Dark Shadow Registered Member

    I see.
  5. Rusty_Shackleford
    Offline

    Rusty_Shackleford Registered Member

  6. Marcos
    Online

    Marcos Eset Staff Account

    Wasn't it detected during a memory scan? Please copy & paste the appropriate record from the Threat log here.
  7. duijv023
    Offline

    duijv023 Registered Member

    Unfortuately I only have access to ERAC at this moment.
    There I see:

    Column Name Value
    Threat Id Threat 1103
    Client Name ######
    Computer Name ######
    MAC Address 0019d1a990aa
    Primary Server ######
    Date Received 2012-04-22 16:25:26
    Date Occurred 2012-04-22 16:21:21
    Level Critical Warning
    Scanner Startup scanner
    Object file
    Name Operating memory ยป explorer.exe(30:cool:
    Threat a variant of Win32/Spy.Zbot.ZR trojan
    Action unable to clean
    User
    Information
    Details Ready


    Column Name Value
    Client Name ######
    Computer Name ######
    MAC Address 0019d1a990aa
    Primary Server ######
    Domain ###.###
    IP 192.168.1.27
    Product Name ESET NOD32 Antivirus BUSINESS EDITION
    Product Version 4.2.71
    Policy Name Default Primary Clients Policy
    Last Connected 2012-05-01 13:10:38
    Protection Status Text
    Virus Signature DB 7100 (20120501)
    Last Threat Alert a variant of Win32/Spy.Zbot.ZR trojan
    Last Firewall Alert
    Last Event Warning
    Last Files Scanned
    Last Files Infected
    Last Files Cleaned
    Last Scan Date
    Restart Request
    Restart Request Date
    Product Last Started 2012-04-27 09:09:19
    Product Install Date 2008-06-17 10:01:13
    Roaming User
    New Client Yes
    OS Name Microsoft Windows XP 5.1.2600 Service Pack 3
    OS Platform Microsoft Windows
    HW Platform 32-bit
    Configuration Ready (2 hours ago)
    Protection Status Ready (3 days ago)
    Protection Features Ready (14 months ago)
    System Information Ready (2 hours ago)
    SysInspector No Data
    Custom Info
    Comment


    In a few days, I hope to be onsite again
  8. Marcos
    Online

    Marcos Eset Staff Account

    Try running a scan with sig. db 7104. If it's still detected only in memory, it will be necessary to create a SysInspector log and check it for suspicious files. Also a complete memory dump of explorer.exe (PID 30:cool: and submitting it to the ESET viruslab along with the ESI log might help determine the malicious file.
    Last edited: May 2, 2012
Thread Status:
Not open for further replies.