Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


ESET reports a variant of Win32/Spy.Zbot.AAU trojan cleaned by deleting-Now what

  • Please log in to reply
3 replies to this topic

#1 Dishpan


  • Members
  • 2 posts
  • Local time:07:14 PM

Posted 15 September 2014 - 06:24 PM


I have a user that has a variant of Win32/Spy.Zbot.AAU on her machine.

ESET says it cleaned it by deleting it.


I'm hoping someone can advise me on

What to do to really clean the machine,

and how bad is this really?


Thank you greatly in advance,

Details are below:


I have a user with a Win 7 Pro 64 bit machine.

She was duped into clicking on a zip file in email.

Her machine locked up, She rebooted.

Then User Account Control prompted her to allow "FlashPlayerUpdate" to run.  She clicked "NO".

UAC just kept popping up the same message every time she clicked NO.

She never clicked Yes.

I forced the machine to shutdown, then logged in as a different user.

UAC did not pop up.

I ran and ESET Smart Security 4 Smart Scan and it reported this:

9/15/2014 11:29:50 AM Startup scanner file Operating memory » awefv.exe(4836) a variant of Win32/Spy.Zbot.AAU trojan cleaned by deleting


I then checked the ESET Server console and saw this notification (Which was just after she rebooted the first time today):

9/15/2014 8:39:33 AM Startup scanner file Operating memory » awefv.exe(6380) a variant of Win32/Spy.Zbot.AAU trojan cleaned by deleting


I unplugged her machine from the network.

I searched the hard drive for awefv.exe, found one copy and tried to delete it.

I couldn't delete it as it was in use.

I started task manager, found it in the process list and killed it.

Then I deleted the file.


I plugged the PC back into the network,

downloaded MalwareBytes (free version, with trial), and scanned the machine.  (See Malwarebytes scan below)

MalwareBytes found and Quarantined:

Files: 1
Spyware.Zbot.VXGen, C:\Users\Lori\AppData\Local\Temp\UpdateFlashPlayer_7763905a.exe, Quarantined, [0fe6ca23512ab482602807b11ae7659b],


I then ran an ESET smart scan again and it came up clean.

I ran another MalwareBytes scan and it came up clean.


I rebooted the machine, and the ESET console reported:

9/15/2014 12:41:29 PM Startup scanner file C:\Users\Lori\AppData\Local\lnjdvpub.exe Win32/TrojanDownloader.Zortob.H trojan cleaned by deleting - quarantined


I unplugged the machine from the network again.

I ran a malwarebytes scan and it came up clean.


Here is the first malwarebytes scan:

Malwarebytes Anti-Malware

Scan Date: 9/15/2014
Scan Time: 12:26:35 PM
Logfile: malwarebyteslog1.txt
Administrator: Yes

Malware Database: v2014.09.15.09
Rootkit Database: v2014.09.15.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: lori

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 439222
Time Elapsed: 7 min, 27 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Spyware.Zbot.VXGen, C:\Users\Lori\AppData\Local\Temp\UpdateFlashPlayer_7763905a.exe, Quarantined, [0fe6ca23512ab482602807b11ae7659b],

Physical Sectors: 0
(No malicious items detected)






BC AdBot (Login to Remove)


#2 LiquidTension


  • Malware Response Team
  • 1,278 posts
  • Gender:Male
  • Local time:02:14 AM

Posted 15 September 2014 - 07:13 PM

ZBot/Zeus is a banking Trojan with backdoor capabilities. The Trojan is specifically designed to steal banking credentials/logins, but due to the nature of a backdoor, any number of actions/modifications can be made. 
An appropriate warning should be given.



One or more of the identified infections is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal critical system, financial and personal information.

Please disconnect your computer from the internet immediately. If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, email, eBay, paypal, online forums, etc). Consider these accounts already compromised.

If you have used a router, you will need to reset it with a strong logon/password to ensure the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach immediately. Please read the following for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified infection(s) can be removed, there is no way to guarantee that your computer will be trustworthy again. This is due to the nature of the infection, which allows the attacker complete control over the computer. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat the hard drive and reinstall the Operating System. Please read the following articles for more information.

Please let me know how you wish to proceed, and if you have any questions.


Posted Image

#3 Dishpan

  • Topic Starter

  • Members
  • 2 posts
  • Local time:07:14 PM

Posted 15 September 2014 - 07:35 PM

Greetings Liquid Tension,

Given the warning, and imagining worst case scenario, and how the PC is used, I'll be going with the reformat, reinstall of the OS.

I can't assume that because we didn't let the FlashUpdate run, that I've prevented everything.

Thank you.

#4 LiquidTension


  • Malware Response Team
  • 1,278 posts
  • Gender:Male
  • Local time:02:14 AM

Posted 15 September 2014 - 07:41 PM


I believe that to be the best choice.

Best of luck.
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users