If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot! trojan
That was a bunch of updates that ganged up on me!
Then, just to add insult, somehow during the process, Thunderbird decided to do a scheduled email check. Some how I managed to open and (Big OOP's!) run an attachment that installed Zbot, something called Miranda client in task manager, a subdirectory under users\------\remote\myykqaet, and an .exe file in myykqaet Windows Defender saw Zbot, tried to make it go away, but the .exe file kept rerunning under Miranda Client. Even using task manager to kill things didn't prevent the cloning. Finally, I stumbled around untill I got safe mode running, used defender again, and then manually deleted the involved files and sub-directory. Rebooted, still in safe mode, and re ran defender to verify stuff was back to normal. Then, I ran into problems getting out of safe mode. Seems that I had used a win 7 method to get into safe mode, and win 8's instructions didn't work. I was scratching my head, and finally remembered that the P/C was originally setup with win 7 Pro. booted into it (that was an adventure in non obvious methods) Changed the startup options to normal, and rebooted (Thankfully) into normal win 8.1. Things were further complicated by not allowing the P/C to use networking (Help files, downloads, etc) by removing the wifi adapter until the P/C was clean again! Had to also change passwords, etc. |
Ads |
#2
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot! trojan
Wolf K wrote in :
This is a case where a Linux-based live-CD cleaning utility/rescue disk would be appropriate. That sounds like a nice tool to have on hand for an emergency. Can you recommend one? -- Pat email: phartzATcoxDOTnet |
#3
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot!trojan
On 14-05-15 12:09 PM, Phantom Post wrote:
Wolf K wrote in : This is a case where a Linux-based live-CD cleaning utility/rescue disk would be appropriate. That sounds like a nice tool to have on hand for an emergency. Can you recommend one? If I'm not mistaken, downloading any distribution and putting it on a USB key would simultaneously give you access to the tools required for such a task as the live distribution it loads also comprises the utilities. -- Silver Slimer OpenMedia Supporter www.silverlips.ca |
#4
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot! trojan
Silver Slimer wrote in :
If I'm not mistaken, downloading any distribution and putting it on a USB key would simultaneously give you access to the tools required for such a task as the live distribution it loads also comprises the utilities. Ah, OK. I thought there might be a specific antivirus/malware toolkit. I've got to look closer at the couple of live CDs I've got. -- Pat email: phartzATcoxDOTnet |
#5
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot!trojan
Wolf K wrote:
On 2014-05-15 6:28 AM, charlie wrote: That was a bunch of updates that ganged up on me! Then, just to add insult, somehow during the process, Thunderbird decided to do a scheduled email check. Some how I managed to open and (Big OOP's!) run an attachment that installed Zbot, something called Miranda client in task manager, a subdirectory under users\------\remote\myykqaet, and an .exe file in myykqaet Windows Defender saw Zbot, tried to make it go away, but the .exe file kept rerunning under Miranda Client. Even using task manager to kill things didn't prevent the cloning. Finally, I stumbled around untill I got safe mode running, used defender again, and then manually deleted the involved files and sub-directory. Rebooted, still in safe mode, and re ran defender to verify stuff was back to normal. Then, I ran into problems getting out of safe mode. Seems that I had used a win 7 method to get into safe mode, and win 8's instructions didn't work. I was scratching my head, and finally remembered that the P/C was originally setup with win 7 Pro. booted into it (that was an adventure in non obvious methods) Changed the startup options to normal, and rebooted (Thankfully) into normal win 8.1. Things were further complicated by not allowing the P/C to use networking (Help files, downloads, etc) by removing the wifi adapter until the P/C was clean again! Had to also change passwords, etc. "Learning opportunity" or what? Been there, done that, took me almost two days to fix, back in XP days. Much worse than a trojan, though, a destroyer. This is a case where a Linux-based live-CD cleaning utility/rescue disk would be appropriate. Good that you could fix it. You can use the Kaspersky bootable disc for that. It's based on a stripped down Gentoo, with a few things missing. I think at one time, Bitdefender made a disc like that. And FSecure used to offer a tool, but I haven't checked their site in years. This is the one I use regularly, if there's a hint of trouble. I haven't had to test this on anything really nasty, so I don't know how "good" it is about quarantining things. At least it detects EICAR, so it's actually doing something :-) ~375 MB http://support.kaspersky.com/8092 It keeps growing in size, because the definitions keep getting bigger. I think it might have been around 235MB at one time. It has a web browser in it, so you can idly surf the net while your scan is running. Paul |
#6
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot!trojan
On 5/15/2014 6:28 AM, charlie wrote:
That was a bunch of updates that ganged up on me! Then, just to add insult, somehow during the process, Thunderbird decided to do a scheduled email check. Some how I managed to open and (Big OOP's!) run an attachment that installed Zbot, Well this is quite a coincidence. I installed the 5/12/14 updates last night. After rebooting to finish installing the updates the second it got to the desktop I was notified by Norton that it had detected and quarantined Trojan.Zbot. It was located in my Thunderbird trash. It was a zip file that I never opened. Strange. |
#7
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot!trojan
On 05/15/2014 12:13 PM, Silver Slimer wrote:
On 14-05-15 12:09 PM, Phantom Post wrote: Wolf K wrote in : This is a case where a Linux-based live-CD cleaning utility/rescue disk would be appropriate. That sounds like a nice tool to have on hand for an emergency. Can you recommend one? If I'm not mistaken, downloading any distribution and putting it on a USB key would simultaneously give you access to the tools required for such a task as the live distribution it loads also comprises the utilities. You want either Hirens boot disk or Knoppix or even both. -- Caver1 |
#8
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot!trojan
On 5/15/2014 1:51 PM, Ron wrote:
On 5/15/2014 6:28 AM, charlie wrote: That was a bunch of updates that ganged up on me! Then, just to add insult, somehow during the process, Thunderbird decided to do a scheduled email check. Some how I managed to open and (Big OOP's!) run an attachment that installed Zbot, Well this is quite a coincidence. I installed the 5/12/14 updates last night. After rebooting to finish installing the updates the second it got to the desktop I was notified by Norton that it had detected and quarantined Trojan.Zbot. It was located in my Thunderbird trash. It was a zip file that I never opened. Strange. That is similar to what started the problem here. Win 8.1 Defender did not detect it, likely due to being in a zip file. Even more irritating was the exercise getting into and out of safe mode. The win 8 startup options don't give a decent sensible was to get back to a "normal" non safe mode startup. Then there was the silly thing about the non "administrator" user with admin privileges not being able to easily get to the subdirectorys, etc. involved with the Trojan. I really did not want to possibly compromise any additional user accounts, other than the effected one. |
#9
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot! trojan
G. Morgan wrote in
: That sounds like a nice tool to have on hand for an emergency. Can you recommend one? http://support.kaspersky.com/us/viruses/rescuedisk/ Thanks for all the suggestions, everybody. I downloaded and burned this Kaspersky disc and checked it out. It's in the toolbox now. -- Pat email: phartzATcoxDOTnet |
#10
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot!trojan
Phantom Post wrote:
G. Morgan wrote in : That sounds like a nice tool to have on hand for an emergency. Can you recommend one? http://support.kaspersky.com/us/viruses/rescuedisk/ Thanks for all the suggestions, everybody. I downloaded and burned this Kaspersky disc and checked it out. It's in the toolbox now. There are some small notes about its use. 1) It's Gentoo based. And some things have been stripped off, in the name of reduced file size. For example, you're not likely to find manpages on there. 2) When it comes up, and after you agree to the license and the desktop appears, there is a tab in the main KAV window to "update definitions" or the like. Clicking that button, gets whatever updates were issued since they last made the CD. You would probably be a week out of date, on your first usage. 3) The OS has support for Ethernet at least. I need to have my ADSL modem and router, already properly configured so step (2) will work. 4) Kaspersky does not have dialup PPP support on the disc. If you're a Windows dialup user, then your networking will be dead. And you won't have the latest update at hand. Scanning time is variable. For best performance: 1) Move that Firefox source tarball you downloaded, off the partition you want to scan. The scanner will actually "die" as it attempts to expand that. Like any AV, KAV is protected against decompression bombs, but large "true" archives can defeat it. Even with infinite memory, that will happen. Move extremely large tarballs, out of the way. Similarly, don't leave an ISO of Win8 sitting on the drive, as scanning that could be a large waste of time. 2) Once you trim the stuff to be scanned, to 100MB packages you downloaded, it's less likely to spin its wheels for too long. Following a few simple rules, will cut the scan time from 2 hours, to 20 minutes. Some notes about drive (partition) lettering... 1) The interface has "drive letters" showing. The OS will ask you "are you running Windows 8 ?". What it is partially doing, is on multiboot systems it wants you to identify (by elimination), a single OS partition. It reads the Registry on that C:, gets the DOSMount letter info out of the Registry. That's how it *attempts* to label the discs. On my triple boot Win2K/WinXP/Win8 machine, it nominates the Win2K disk as C:, gets the drive lettering scheme from Win2K Registry. Since I'm normally scanning WinXP for virii, the letter on screen ends up being E:. I scan E:, because C: is Win2K, and Win8 is some other letter. E: happens to be the partition I need to scan. 2) You don't need to know Linux to use KAV, but it helps. You can open a Terminal window from the menu in the lower left corner, type "df" and get a table of all mounted partitions. I can go to something like (not sure of spelling...) /discs/E: and have a look. ls /discs/E: And on there, I have an empty text file IMWINXP.txt I use, to tell me that /discs/E: corresponds to WinXP. The tool refuses to just print the "label" placed on each partition. I have WIN2K and WINXP as file system labels on C: and E: and can't see the label. If you place an "identifier file" at the top level of each partition, you'll have easy confirmation which letter is which. That helps you positively identify what is about to be scanned. 3) The tool, if you've never used it before, *maybe* it'll do a good job of keeping the log from one run to the next. Virus definitions are stored on one of your hard drive, and you can look in the nominated C: drive for them. So my Win2K partition ends up with a Kaspersky directory on it. If the log is ever looking particularly useless to you, you can hoover out that folder and leave it empty for the next run. It'll just mean a bit more AV definition downloading on the next run. 4) For swap, the Linux OS mounts my Win2K pagefile.sys as a place to store swap. I can tell, by using "top" in the Terminal window, and comparing one of the parameters there, to the sizes of my pagefiles. And that's how I can tell it uses the nominated C: pagefile. If should clean the pagefile, before shutting down for a reboot, at the end of a session. 5) It stores quarantined stuff somewhere, but I've never needed to figure out where. When I test with EICAR and it finds EICAR, I just tell it to ignore the file. I've never actually quarantined anything with it yet. Make sure, where ever the quarantine folder is, that it's stored on a hard drive, and not on a RAM drive of some sort. There are some AV products, that store quarantined files on a RAM Drive. And later, the user realizes (when a false positive happens), that the file they need to recover from that false positive, has long since disappeared on a reboot. Happy scanning, Paul |
#11
|
|||
|
|||
win8.1 and today's updates, along with a nasty version of Zbot! trojan
Paul wrote in :
Happy scanning, Paul Thanks for the info, Paul. I currently don't have a problem to solve with Kaspersky. I'm just the guy that popped in to ask about these live CD solutions for future reference. I'll keep this info on hand though. -- Pat email: phartzATcoxDOTnet |
Thread Tools | |
Display Modes | Rate This Thread |
|
|