...and it sets off my AVAST! network shield.
I was hit at the same time by two seperate processes in different folders trying to contact urbangood.info
The first was a string of numbers for a name of an app in my user folder. This didn't change name, it remained the same but set my network shield off about every ten minutes no matter what I was doing.
The second, that hit at the same time and is clearly connected, is changing name. I can see the apps spawning in the programdata folder and changing name to a string of letters. There is one file that stays the same name, (and it is listed as a file not an app, called 'ootlclxrxndzgll'), and everytime there is a change of the time on the date last modified for it, another app is spawned or one disappears, so it definitely seems to be the 'cause' of it. This sets off my network shield too, but it seems to be only when I open up a webpage with this one, and it's a different app with a new name each time that is listed on the avast popup. It is also trying to contact urbangood.info
Now, I ran sophos virus removal tool. It found two threats. One I have no idea if it was related or not, but the other was definitely related. It was called the troj/zbot-cbw and after clean up it succesfully deleted the first app I described, the one that was a string of numbers and remained the same.
However, after clean up, it hasn't got rid of the ones in the programdata folder that is spawning and changing.
The log sophos left over is:
2012-06-22 20:13:33 Could not open C:\hiberfil.sys
2012-06-22 20:14:06 Could not open C:\pagefile.sys
2012-06-22 20:28:57 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57 Could not open C:\System Volume Information\{dc5226be-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57 Could not open C:\System Volume Information\{dc5226cc-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57 Could not open C:\System Volume Information\{dc522731-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:29:20 >>> Virus 'Troj/Zbot-CBW' found in file C:\Users\Katherine\0.5262248442813692.exe
2012-06-22 21:00:44 >>> Virus 'Mal/ExpJS-AL' found in file C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm
2012-06-22 21:16:38 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2012-06-22 21:16:38 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\DEFAULT
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SAM
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SECURITY
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SYSTEM
2012-06-22 21:17:16 Could not open C:\Windows\System32\drivers\sptd.sys
2012-06-22 21:35:57 The following items will be cleaned up:
2012-06-22 21:35:57 Troj/Zbot-CBW
2012-06-22 21:35:57 Mal/ExpJS-AL
2012-06-22 21:36:22 Process "C:\Users\Katherine\0.5262248442813692.exe:pid:00002d7c" belongs to 'Troj/Zbot-CBW'.
2012-06-22 21:36:22 Process "C:\Users\Katherine\0.5262248442813692.exe:pid:00002d7c" has been cleaned up.
2012-06-22 21:36:22 File "C:\Users\Katherine\0.5262248442813692.exe" belongs to 'Troj/Zbot-CBW'.
2012-06-22 21:36:22 File "C:\Users\Katherine\0.5262248442813692.exe" has been cleaned up.
2012-06-22 21:36:22 Removal successful
2012-06-22 21:36:34 File "C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm" belongs to malware 'Mal/ExpJS-AL'.
2012-06-22 21:36:34 File "C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm" has been cleaned up.
2012-06-22 21:36:34 Removal successful
2012-06-22 21:37:56 Scan completed.
2012-06-22 21:37:56
Any ideas on how I can get rid of this other half of the problem? Is it left over from the clean up? I'm running a kaspersky virus removal tool scan now, but I'm losing hope! I should also say I'm a tech simpleton so I may be slow!
Thanks in advance