ZLOB trojan - how to stop

[bill]

I have NOD32 antivirus and it is getting upset about this
======================================
Time Module Object Name Threat Action User Information
8/30/2006 10:22:28 AM AMON file

G:\System VolumeInformation\
_restore{65DDFE4A-8A7A-4502-B194-FCF756B87FBA}\RP76\A0017690.exe
Win32/TrojanDownloader.Zlob.AAL trojan

quarantined - deleted NT AUTHORITY\SYSTEM

Event occurred on a new file created by the application:
C:\WINDOWS\System32\svchost.exe.

The file was moved to quarantine. You may close this window.
==================================

it has occured 4 times today. after the first time I tried a removal
procedure which apparently didn't work.

any ideas on getting rid of this????????

why is SVCHOST creating this file????

thanks

 

[David H. Lipman]

From: <[email protected]>

| I have NOD32 antivirus and it is getting upset about this
| ======================================
| Time Module Object Name Threat Action User Information
| 8/30/2006 10:22:28 AM AMON file
|
| G:\System VolumeInformation\
| _restore{65DDFE4A-8A7A-4502-B194-FCF756B87FBA}\RP76\A0017690.exe
| Win32/TrojanDownloader.Zlob.AAL trojan
|
| quarantined - deleted NT AUTHORITY\SYSTEM
|
| Event occurred on a new file created by the application:
| C:\WINDOWS\System32\svchost.exe.
|
| The file was moved to quarantine. You may close this window.
| ==================================
|
| it has occured 4 times today. after the first time I tried a removal
| procedure which apparently didn't work.
|
| any ideas on getting rid of this????????
|
| why is SVCHOST creating this file????
|
| thanks

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

G:\System VolumeInformation\_restore
Is the System Restore cache location.


SVCHOST.EXE isn't creating ANY file. You are mis-interopreting the LOG/message.

You stated...
"The file was moved to quarantine."

What file ? The file in the System Restore Cache ? SVCHOST.EXE ?

%windir%\System32\svchost.exe is a legitimate OS file and it is doubtful it is a Trojan or
the OS would not work and you would either fail to boot at all or the PC would go into a
Blue Screen of Death (BSoD) condition.

 

[bill]

thanks for the reply----I put it here cause I didn't realize the other
groups were here and I have a feeling it is a false positive being
that SVCHOST created the file -- so I wanted to direct it to some XP
experts.

I'll repost in the other groups

but the text between ============== is the message from NOD32.
apparently "the file" is A0017690.exe which was in the SVI folder,
which I can't see. Wouldn't that be a SYSTEM RESTORE file?
one time it was ...692.exe -- it keeps changing.
Spybot, Spysweeper, and Spynomore are not picking it up.

 

[Jay]

well try deleting all system restore points except the most recent. maybe
that will help. To do so follow these steps:


1) Open "My Computer"

2) Right Click on the "C:\" Drive

3) Click on "Properties"

4) Click on "Disk Clean Up"

5) Click on the "More Options" tab

6) Click on the "Clean Up" button under "System Restore" header.

7) Click "Yes" on the pop-up dialog.




Hope this helps you.

James Jones