win8.1 and today's updates, along with a nasty version of Zbot! trojan

That was a bunch of updates that ganged up on me!
Then, just to add insult, somehow during the process, Thunderbird
decided to do a scheduled email check. Some how I managed to open and
(Big OOP's!) run an attachment that installed Zbot, something called
Miranda client in task manager, a subdirectory under
users\------\remote\myykqaet,
and an .exe file in myykqaet

Windows Defender saw Zbot, tried to make it go away, but the .exe file
kept rerunning under Miranda Client. Even using task manager to kill
things didn't prevent the cloning.
Finally, I stumbled around untill I got safe mode running, used defender
again, and then manually deleted the involved files and sub-directory.
Rebooted, still in safe mode, and re ran defender to verify stuff was
back to normal.
Then, I ran into problems getting out of safe mode.
Seems that I had used a win 7 method to get into safe mode, and win 8's
instructions didn't work. I was scratching my head, and finally
remembered that the P/C was originally setup with win 7 Pro.
booted into it (that was an adventure in non obvious methods)
Changed the startup options to normal, and rebooted (Thankfully)
into normal win 8.1.

Things were further complicated by not allowing the P/C to use
networking (Help files, downloads, etc) by removing the wifi adapter
until the P/C was clean again!

Had to also change passwords, etc.

Wolf K wrote in :

This is a case where a Linux-based live-CD cleaning utility/rescue disk
would be appropriate.


That sounds like a nice tool to have on hand for an emergency. Can you
recommend one?

--

Pat

email: phartzATcoxDOTnet

On 14-05-15 12:09 PM, Phantom Post wrote:
Wolf K wrote in :

This is a case where a Linux-based live-CD cleaning utility/rescue disk
would be appropriate.


That sounds like a nice tool to have on hand for an emergency. Can you
recommend one?

If I'm not mistaken, downloading any distribution and putting it on a
USB key would simultaneously give you access to the tools required for
such a task as the live distribution it loads also comprises the utilities.

--
Silver Slimer
OpenMedia Supporter
www.silverlips.ca

Silver Slimer wrote in :

If I'm not mistaken, downloading any distribution and putting it on a
USB key would simultaneously give you access to the tools required for
such a task as the live distribution it loads also comprises the
utilities.


Ah, OK. I thought there might be a specific antivirus/malware toolkit.
I've got to look closer at the couple of live CDs I've got.

--

Pat

email: phartzATcoxDOTnet

Wolf K wrote:
On 2014-05-15 6:28 AM, charlie wrote:
That was a bunch of updates that ganged up on me!
Then, just to add insult, somehow during the process, Thunderbird
decided to do a scheduled email check. Some how I managed to open and
(Big OOP's!) run an attachment that installed Zbot, something called
Miranda client in task manager, a subdirectory under
users\------\remote\myykqaet,
and an .exe file in myykqaet

Windows Defender saw Zbot, tried to make it go away, but the .exe file
kept rerunning under Miranda Client. Even using task manager to kill
things didn't prevent the cloning.
Finally, I stumbled around untill I got safe mode running, used defender
again, and then manually deleted the involved files and sub-directory.
Rebooted, still in safe mode, and re ran defender to verify stuff was
back to normal.
Then, I ran into problems getting out of safe mode.
Seems that I had used a win 7 method to get into safe mode, and win 8's
instructions didn't work. I was scratching my head, and finally
remembered that the P/C was originally setup with win 7 Pro.
booted into it (that was an adventure in non obvious methods)
Changed the startup options to normal, and rebooted (Thankfully)
into normal win 8.1.

Things were further complicated by not allowing the P/C to use
networking (Help files, downloads, etc) by removing the wifi adapter
until the P/C was clean again!

Had to also change passwords, etc.

"Learning opportunity" or what? Been there, done that, took me almost
two days to fix, back in XP days. Much worse than a trojan, though, a
destroyer.

This is a case where a Linux-based live-CD cleaning utility/rescue disk
would be appropriate.

Good that you could fix it.


You can use the Kaspersky bootable disc for that.
It's based on a stripped down Gentoo, with a
few things missing. I think at one time,
Bitdefender made a disc like that. And FSecure used
to offer a tool, but I haven't checked their site
in years.

This is the one I use regularly, if there's a
hint of trouble. I haven't had to test this on anything
really nasty, so I don't know how "good" it is about
quarantining things. At least it detects EICAR, so
it's actually doing something :-)

~375 MB

http://support.kaspersky.com/8092

It keeps growing in size, because the definitions
keep getting bigger. I think it might have been
around 235MB at one time.

It has a web browser in it, so you can idly surf the
net while your scan is running.

Paul

On 5/15/2014 6:28 AM, charlie wrote:
That was a bunch of updates that ganged up on me!
Then, just to add insult, somehow during the process, Thunderbird
decided to do a scheduled email check. Some how I managed to open and
(Big OOP's!) run an attachment that installed Zbot,

Well this is quite a coincidence. I installed the 5/12/14 updates last
night. After rebooting to finish installing the updates the second it
got to the desktop I was notified by Norton that it had detected and
quarantined Trojan.Zbot. It was located in my Thunderbird trash. It was
a zip file that I never opened. Strange.

On 05/15/2014 12:13 PM, Silver Slimer wrote:
On 14-05-15 12:09 PM, Phantom Post wrote:
Wolf K wrote in :

This is a case where a Linux-based live-CD cleaning utility/rescue disk
would be appropriate.


That sounds like a nice tool to have on hand for an emergency. Can you
recommend one?

If I'm not mistaken, downloading any distribution and putting it on a
USB key would simultaneously give you access to the tools required for
such a task as the live distribution it loads also comprises the utilities.



You want either Hirens boot disk or Knoppix or even both.

--
Caver1

On 5/15/2014 1:51 PM, Ron wrote:
On 5/15/2014 6:28 AM, charlie wrote:
That was a bunch of updates that ganged up on me!
Then, just to add insult, somehow during the process, Thunderbird
decided to do a scheduled email check. Some how I managed to open and
(Big OOP's!) run an attachment that installed Zbot,

Well this is quite a coincidence. I installed the 5/12/14 updates last
night. After rebooting to finish installing the updates the second it
got to the desktop I was notified by Norton that it had detected and
quarantined Trojan.Zbot. It was located in my Thunderbird trash. It was
a zip file that I never opened. Strange.

That is similar to what started the problem here.
Win 8.1 Defender did not detect it, likely due to being in a zip file.
Even more irritating was the exercise getting into and out of safe mode.
The win 8 startup options don't give a decent sensible was to get back
to a "normal" non safe mode startup. Then there was the silly thing
about the non "administrator" user with admin privileges not being able
to easily get to the subdirectorys, etc. involved with the Trojan.
I really did not want to possibly compromise any additional user
accounts, other than the effected one.

G. Morgan wrote in
:

That sounds like a nice tool to have on hand for an emergency. Can you
recommend one?


http://support.kaspersky.com/us/viruses/rescuedisk/




Thanks for all the suggestions, everybody. I downloaded and burned this
Kaspersky disc and checked it out. It's in the toolbox now.

--

Pat

email: phartzATcoxDOTnet

Phantom Post wrote:
G. Morgan wrote in
:

That sounds like a nice tool to have on hand for an emergency. Can you
recommend one?

http://support.kaspersky.com/us/viruses/rescuedisk/




Thanks for all the suggestions, everybody. I downloaded and burned this
Kaspersky disc and checked it out. It's in the toolbox now.


There are some small notes about its use.

1) It's Gentoo based. And some things have been stripped
off, in the name of reduced file size. For example,
you're not likely to find manpages on there.

2) When it comes up, and after you agree to the license
and the desktop appears, there is a tab in the main
KAV window to "update definitions" or the like. Clicking
that button, gets whatever updates were issued since
they last made the CD. You would probably be a week out
of date, on your first usage.

3) The OS has support for Ethernet at least. I need to have
my ADSL modem and router, already properly configured
so step (2) will work.

4) Kaspersky does not have dialup PPP support on the disc.
If you're a Windows dialup user, then your networking will
be dead. And you won't have the latest update at hand.

Scanning time is variable. For best performance:

1) Move that Firefox source tarball you downloaded,
off the partition you want to scan. The scanner
will actually "die" as it attempts to expand that.
Like any AV, KAV is protected against decompression
bombs, but large "true" archives can defeat it.
Even with infinite memory, that will happen. Move
extremely large tarballs, out of the way. Similarly,
don't leave an ISO of Win8 sitting on the drive,
as scanning that could be a large waste of time.

2) Once you trim the stuff to be scanned, to 100MB packages
you downloaded, it's less likely to spin its wheels for
too long.

Following a few simple rules, will cut the scan time from
2 hours, to 20 minutes.

Some notes about drive (partition) lettering...

1) The interface has "drive letters" showing. The OS will
ask you "are you running Windows 8 ?". What it is partially
doing, is on multiboot systems it wants you to identify
(by elimination), a single OS partition. It reads the
Registry on that C:, gets the DOSMount letter info out
of the Registry. That's how it *attempts* to label the
discs. On my triple boot Win2K/WinXP/Win8 machine, it
nominates the Win2K disk as C:, gets the drive lettering
scheme from Win2K Registry. Since I'm normally scanning WinXP
for virii, the letter on screen ends up being E:. I scan E:,
because C: is Win2K, and Win8 is some other letter.
E: happens to be the partition I need to scan.

2) You don't need to know Linux to use KAV, but it helps.
You can open a Terminal window from the menu in the
lower left corner, type "df" and get a table of all
mounted partitions. I can go to something like (not
sure of spelling...) /discs/E: and have a look.

ls /discs/E:

And on there, I have an empty text file IMWINXP.txt I
use, to tell me that /discs/E: corresponds to WinXP.

The tool refuses to just print the "label" placed on
each partition. I have WIN2K and WINXP as file system
labels on C: and E: and can't see the label. If you place
an "identifier file" at the top level of each partition,
you'll have easy confirmation which letter is which.
That helps you positively identify what is about to be
scanned.

3) The tool, if you've never used it before, *maybe* it'll
do a good job of keeping the log from one run to the next.
Virus definitions are stored on one of your hard drive,
and you can look in the nominated C: drive for them.
So my Win2K partition ends up with a Kaspersky directory
on it. If the log is ever looking particularly useless to
you, you can hoover out that folder and leave it empty
for the next run. It'll just mean a bit more AV
definition downloading on the next run.

4) For swap, the Linux OS mounts my Win2K pagefile.sys
as a place to store swap. I can tell, by using "top"
in the Terminal window, and comparing one of the
parameters there, to the sizes of my pagefiles. And
that's how I can tell it uses the nominated C: pagefile.
If should clean the pagefile, before shutting down for
a reboot, at the end of a session.

5) It stores quarantined stuff somewhere, but I've never
needed to figure out where. When I test with EICAR and
it finds EICAR, I just tell it to ignore the file. I've
never actually quarantined anything with it yet. Make sure,
where ever the quarantine folder is, that it's stored on
a hard drive, and not on a RAM drive of some sort. There
are some AV products, that store quarantined files on a
RAM Drive. And later, the user realizes (when a false positive
happens), that the file they need to recover from that
false positive, has long since disappeared on a reboot.

Happy scanning,
Paul

Paul wrote in :

Happy scanning,
Paul


Thanks for the info, Paul. I currently don't have a problem to solve with
Kaspersky. I'm just the guy that popped in to ask about these live CD
solutions for future reference. I'll keep this info on hand though.

--

Pat

email: phartzATcoxDOTnet