explorer.exe infected with a variant of Win32/spy.zbot.ZR

Discussion in 'ESET NOD32 Antivirus' started by duijv023, Apr 25, 2012.

Thread Status:
Not open for further replies.
  1. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    Hi
    On a customer's PC Eset NOD32 V4.2.71 is detecting this now and then in startupscanner (unable to clean).
    A full scan often does not find/clean it. Is there a removal tool available that i can advise to use?

    Greetings from Holland
     
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Just a suggestion,why not update to version 5 0.95 and go from there.Try to remove it in safe mode maybe your best bet.
     
    Last edited: Apr 25, 2012
  3. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    the reason i did not do is beacause it is a Business edition (there is no v5 available, only RC endpointsecurity)
     
  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I see.
     
  5. Rusty_Shackleford

    Rusty_Shackleford Registered Member

    Joined:
    Nov 21, 2011
    Posts:
    11
    Location:
    USA
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Wasn't it detected during a memory scan? Please copy & paste the appropriate record from the Threat log here.
     
  7. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    Unfortuately I only have access to ERAC at this moment.
    There I see:

    Column Name Value
    Threat Id Threat 1103
    Client Name ######
    Computer Name ######
    MAC Address 0019d1a990aa
    Primary Server ######
    Date Received 2012-04-22 16:25:26
    Date Occurred 2012-04-22 16:21:21
    Level Critical Warning
    Scanner Startup scanner
    Object file
    Name Operating memory » explorer.exe(30:cool:
    Threat a variant of Win32/Spy.Zbot.ZR trojan
    Action unable to clean
    User
    Information
    Details Ready


    Column Name Value
    Client Name ######
    Computer Name ######
    MAC Address 0019d1a990aa
    Primary Server ######
    Domain ###.###
    IP 192.168.1.27
    Product Name ESET NOD32 Antivirus BUSINESS EDITION
    Product Version 4.2.71
    Policy Name Default Primary Clients Policy
    Last Connected 2012-05-01 13:10:38
    Protection Status Text
    Virus Signature DB 7100 (20120501)
    Last Threat Alert a variant of Win32/Spy.Zbot.ZR trojan
    Last Firewall Alert
    Last Event Warning
    Last Files Scanned
    Last Files Infected
    Last Files Cleaned
    Last Scan Date
    Restart Request
    Restart Request Date
    Product Last Started 2012-04-27 09:09:19
    Product Install Date 2008-06-17 10:01:13
    Roaming User
    New Client Yes
    OS Name Microsoft Windows XP 5.1.2600 Service Pack 3
    OS Platform Microsoft Windows
    HW Platform 32-bit
    Configuration Ready (2 hours ago)
    Protection Status Ready (3 days ago)
    Protection Features Ready (14 months ago)
    System Information Ready (2 hours ago)
    SysInspector No Data
    Custom Info
    Comment


    In a few days, I hope to be onsite again
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Try running a scan with sig. db 7104. If it's still detected only in memory, it will be necessary to create a SysInspector log and check it for suspicious files. Also a complete memory dump of explorer.exe (PID 30:cool: and submitting it to the ESET viruslab along with the ESI log might help determine the malicious file.
     
    Last edited: May 2, 2012
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.