You can usually see the zbot entries with autoruns (from sysinternals) .. Win7 machine it will be \user\appdata\roaming\random\random.exe & cutwail (pushdo) usually drops its crazy random name file in root of user's profile. It is as crazy random name as cryptolocker.
XP \user\application data\random\random.exe (zbot)
If one is inclined to look for the likely cause....
If you look in their %temp% directory, recent created random name directories there too with some exes - likely downloaders.. and possibly some exes right in %temp% ... more downloaders...
I have also found hidden folders like "Temporary_file_for_Invoice_984578455.zip" which is typically where windows dropped the file when users d. click the zips if they save the attachment rather than opening in Outlook.
If they opened right in Outlook ... look in the Content.Outlook directory for zips.
If web based email in IE ... Temporary Internet Files\Content.ie5\some sub directory
Not sure how it is for FF or Chrome. They don't use a cache directory/file structure like IE does. You can likely see it in their download history.
If you find it ... you'll see why it is so easy for users to click them. They take on the icon just like a PDF & since users normally do not see file extensions (or are really aware of what .EXE means) they click it ... often multiple times trying to figure out why Reader won't open.
Then they call their chum in the next cubicle & ask if they can open it... Machine#2 down ...next # 3 .. finally someone asks IT what is wrong with it.
//rant over// ....
Autoruns is cool because you can right click the file path showing (if it exists) and choose go to image - takes you right to the bad file Saves time over drilling through directories & regedit.
Has anyone sent you any of the email attachments Grinler? Let it stew a while on your test box... seems to take a while for cryptolocker to come in. Hours...they sometimes download half the malware planet if not discovered for a few days.
I've seen sirefef/zaccess with it too & at times vobfus.
CHanging the passwords is not only important for sensitive logins and such ... but I have seen a week or so after zbot has been cleaned up, cooperate email domain addresses being spoofed & getting blacklisted even though your network is clean & has been for a week. Kinda throws everyone into a panic because it is thought there is another bot on the network & really it is because passwords are not changed.
This day in age of malware - machine gets infected, I tell people to change passwords unless it is something like "MyWebSearch" lol...(I'll enforce it for said user through AD lol)
So many infections being tagged by AV programs as some generic.whatever ... makes it hard to tell exactly what that critter did.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!
For dessert; can I have a bowl of the freshest worms you have please?.Never Give Up!If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware