Author Topic: *SOLVED* Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?  (Read 6613 times)

0 Members and 1 Guest are viewing this topic.

eclectic

  • Guest
Quote
24/06/2008 17:12:39   SYSTEM   1856   Sign of "Win32:Zlob-CEG [trj]" has been found in "C:\DOCUME~1\Matthew\LOCALS~1\Temp\exhqgnwk.exe" file. 
24/06/2008 17:26:06   SYSTEM   1856   Sign of "Win32:Zlob-CEG [trj]" has been found in "C:\DOCUME~1\Matthew\LOCALS~1\Temp\nt1eeu17.exe" file.

So the above are now safely in my avast! Virus Chest but do I need to do anything else please?

I encountered these charmers earlier whilst Googling and am just thankful that I now have avast! as AVG Free wouldn't have protected me!  ;D
« Last Edit: June 25, 2008, 02:43:07 PM by eclectic »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #1 on: June 24, 2008, 08:20:35 PM »
You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline lakrsrool

  • Advanced Poster
  • **
  • Posts: 712
  • Get the Picture !
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #2 on: June 24, 2008, 08:33:41 PM »
You could also run an "online" scan on the file in the chest (at any time) to help determine if there might be a "false positive" issue (there are many on-line).

Good link for this: http://virusscan.jotti.org/

Read the "disclaimer" on this web page; it explains in detail what is going on really well.

The chest is a good place just in case of "false positives" so that the item can be restored if necessary.
Processor: i3 2.53 GHz 4 GIG RAM, OS: WIN 7, Connection: High Speed, Virus/Malware Protection: Avast-2015, SpywareBlaster, Windows Firewall & Defender. Email: Outlook 2010 w/ POP Peeper Email Notifiers.

eclectic

  • Guest
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #3 on: June 24, 2008, 08:38:21 PM »
You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

Yes, your advice to me t'other day to this effect was foremost in my mind when avast! sprang to my defence against these little nasties earlier :).

Quote
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.


Well that's good to know as a general rule.  However in this case I wonder if it will be necessary to wait.  You see I clicked on a Google link that took me to a dodgy site that immediately tried to trick me with faux internet security pop ups.  Of course I closed those but avast! then popped up to alert me to the trojans.  What do you think?

FAKE EDIT - thanks lakrsrool, that's handy to know.

Offline lakrsrool

  • Advanced Poster
  • **
  • Posts: 712
  • Get the Picture !
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #4 on: June 24, 2008, 09:05:29 PM »
At this point I do not see the specific Win32:Zlob - "CEG" "variant" that you have moved to the chest listed on Avast's web page of "known" viruses. There are some "latest threats" that are recent "Win32:Zlob" (Windows Trojan Viruses) "variants" i.e. "JN" and "JO" at this time.

As posted there is no problem leaving it in the chest for now, better safe than sorry.  ;)
Processor: i3 2.53 GHz 4 GIG RAM, OS: WIN 7, Connection: High Speed, Virus/Malware Protection: Avast-2015, SpywareBlaster, Windows Firewall & Defender. Email: Outlook 2010 w/ POP Peeper Email Notifiers.

eclectic

  • Guest
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #5 on: June 24, 2008, 09:09:17 PM »
At this point I do not see the specific Win32:Zlob - "CEG" "variant" that you have moved to the chest listed on Avast's web page of "known" viruses. There are some "latest threats" that are recent "Win32:Zlob" (Windows Trojan Viruses) "variants" i.e. "JN" and "JO" at this time.

As posted there is no problem leaving it in the chest for now, better safe than sorry.  ;)

Oh thanks.  In that case I think it would be wise to follow DavidR's guidance i.e. leave them in the chest for a few weeks and then if I haven't had any issues from them being quarantined there, rescan and delete.

Thank you both for your help :).

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #6 on: June 24, 2008, 11:13:14 PM »
You could also run an "online" scan on the file in the chest (at any time) to help determine if there might be a "false positive" issue (there are many on-line).
<snip>

You can't actually scan a file inside the chest as it is a protected area. The same is true of uploading from the chest, a) the file name is changed and b) the file is encrypted. You have to first export it from the chest.

However, just looking at a) the location and b) the file name, I don't doubt the detection. Even if it were wrong it is in a temporary location and as such expendable, so in cases like this I wouldn't even bother with a secondary check (or I would have suggested it).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline lakrsrool

  • Advanced Poster
  • **
  • Posts: 712
  • Get the Picture !
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #7 on: June 25, 2008, 03:27:28 AM »
You could also run an "online" scan on the file in the chest (at any time) to help determine if there might be a "false positive" issue (there are many on-line).
<snip>

You can't actually scan a file inside the chest as it is a protected area. The same is true of uploading from the chest, a) the file name is changed and b) the file is encrypted. You have to first export it from the chest.

However, just looking at a) the location and b) the file name, I don't doubt the detection. Even if it were wrong it is in a temporary location and as such expendable, so in cases like this I wouldn't even bother with a secondary check (or I would have suggested it).

Thanks David for the info... So then you CAN scan it inside the chest using Avast since you had suggest doing this based on your prior post:
Quote
...scan them again (inside the chest) and if they are still detected as viruses, delete them...
... but not with any other source than Avast (I presume).

And as far as checking for "false positives" if at the time Avast finds the suspected "virus" and recommends the file be quarantined then what is the best way to check for "false positives" since once the file is placed in the chest (which would be the safe thing to do at the time) it cannot be scanned by other scanners?
Processor: i3 2.53 GHz 4 GIG RAM, OS: WIN 7, Connection: High Speed, Virus/Malware Protection: Avast-2015, SpywareBlaster, Windows Firewall & Defender. Email: Outlook 2010 w/ POP Peeper Email Notifiers.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #8 on: June 25, 2008, 03:42:44 AM »
Quote
...scan them again (inside the chest) and if they are still detected as viruses, delete them...
... but not with any other source than Avast (I presume).
It can't be scanned by other antivirus. You'll need to extract and scan this 'new' file.

And as far as checking for "false positives" if at the time Avast finds the suspected "virus" and recommends the file be quarantined then what is the best way to check for "false positives" since once the file is placed in the chest (which would be the safe thing to do at the time) it cannot be scanned by other scanners?
Yes, it's safer because you can restore. Direct deletion won't send the file to Recycle bin, will complete erase the file.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #9 on: June 25, 2008, 02:04:30 PM »
To confirm a detection using VirusTotal, etc.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

It is important to Export (doesn't remove from chest, just copies it to the export location) and not Restore as that places it in the same original location. This is not something you want if it is malware as it could potentially activated in a different location any other element of the infection (registry entry, etc.) doesn't know that location.

- Upload to VirusTotal - Multi engine on-line virus scanner, from the list you should be able to see if the detection was good, e.g. multiple AVs also detect it or only avast, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

eclectic

  • Guest
Re: Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #10 on: June 25, 2008, 02:34:46 PM »
You could also run an "online" scan on the file in the chest (at any time) to help determine if there might be a "false positive" issue (there are many on-line).
<snip>

You can't actually scan a file inside the chest as it is a protected area. The same is true of uploading from the chest, a) the file name is changed and b) the file is encrypted. You have to first export it from the chest.

However, just looking at a) the location and b) the file name, I don't doubt the detection. Even if it were wrong it is in a temporary location and as such expendable, so in cases like this I wouldn't even bother with a secondary check (or I would have suggested it).

Great - deletion time then!  :)

Thank you all for your help.

EDIT - missed your last post DavidR - great advice for future reference, thanks :).
« Last Edit: June 25, 2008, 02:37:36 PM by eclectic »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: *SOLVED* Trojan [Win32:Zlob-CEG] moved to Virus Chest - what now?
« Reply #11 on: June 25, 2008, 02:52:49 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security