Problem removing Win32.Zbot.gen trojan

kkelly77

My friends laptop running Windows 7 with Microsoft Security Essentials keeps detecting the PWS:Win32/Zbot.gen!Y trojan. I'm selecting it to be removed, which MSE seems to do, and then asks to restart the laptop. However, the trojan keeps reappearing.

After some internet investigation, I am currently running System File Checker which has reported no integrity violations. I found THIS site which explains how to remove certain things from the registry which should sort it out. But I'd like to get your advice before I start messing with the registry.

Thanks in advance for your advice.

mp22

Uninstall MSE get avast the free version install and select a boot scan,restart the pc and let the scan run its course.

kkelly77

mp22 wrote: »

Uninstall MSE get avast the free version install and select a boot scan,restart the pc and let the scan run its course.

Any particular reason to use that antivirus?

I removed the files from the registry as described in the link I have in my original post. So far no report of that poxy trojan. It is happens again I'll try avast. Thanks.

ASJ112

Do you have the log from MSE ?

kkelly77

This is the most recent since it was last detected.

Category: Password Stealer

Description: This program is dangerous and captures user passwords.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items: 
containerfile:C:\Windows\Temp\tmp000003f0\tmp00000222
containerfile:C:\Windows\Temp\tmp000003f0\tmp0000022a
containerfile:C:\Windows\Temp\tmp000003f0\tmp0000038a
containerfile:C:\Windows\Temp\tmp000003f0\tmp000003a6
containerfile:C:\Windows\Temp\tmp000003f0\tmp000003ca
containerfile:C:\Windows\Temp\tmp000003f0\tmp000003d3
containerfile:C:\Windows\Temp\tmp000003f0\tmp000003df
containerfile:C:\Windows\Temp\tmp000003f0\tmp000003e2
containerfile:C:\Windows\Temp\tmp000003f0\tmp000003ee
containerfile:C:\Windows\Temp\tmp000003f0\tmp000003f1
containerfile:C:\Windows\Temp\tmp000003f0\tmp00000448
containerfile:C:\Windows\Temp\tmp000003f0\tmp00000454
containerfile:C:\Windows\Temp\tmp000003f0\tmp00000457
containerfile:C:\Windows\Temp\tmp000003f0\tmp0000047b
containerfile:C:\Windows\Temp\tmp000003f0\tmp0000048e
containerfile:C:\Windows\Temp\tmp000003f0\tmp00000497
containerfile:C:\Windows\Temp\tmp000003f0\tmp0000049d
containerfile:C:\Windows\Temp\tmp000003f0\tmp000004a0
containerfile:C:\Windows\Temp\tmp000003f0\tmp000004a3
containerfile:C:\Windows\Temp\tmp00000495\tmp0000f5b5
containerfile:C:\Windows\Temp\tmp00000495\tmp0000f5ed
containerfile:C:\Windows\Temp\tmp00000495\tmp0000f68c
containerfile:C:\Windows\Temp\tmp00000495\tmp0000f698
containerfile:C:\Windows\Temp\tmp00000495\tmp0000f69e
containerfile:C:\Windows\Temp\tmp00001672\tmp000011d8
containerfile:C:\Windows\Temp\tmp00001672\tmp000011e1
containerfile:C:\Windows\Temp\tmp000040e2\tmp000218db
containerfile:C:\Windows\Temp\tmp000040e2\tmp00021a90
containerfile:C:\Windows\Temp\tmp000040e2\tmp00021a93
file:C:\Windows\Temp\tmp000003f0\tmp00000222->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp0000022a->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp0000038a->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000003a6->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000003ca->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000003d3->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000003df->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000003e2->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000003ee->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000003f1->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp00000448->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp00000454->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp00000457->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp0000047b->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp0000048e->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp00000497->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp0000049d->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000004a0->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000003f0\tmp000004a3->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp00000495\tmp0000f5b5->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp00000495\tmp0000f5ed->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp00000495\tmp0000f68c->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp00000495\tmp0000f698->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp00000495\tmp0000f69e->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp00001672\tmp000011d8->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp00001672\tmp000011e1->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000040e2\tmp000218db->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000040e2\tmp00021a90->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]
file:C:\Windows\Temp\tmp000040e2\tmp00021a93->[lowcase_mzpe]->(UPX)->[Obfuscator.QG]

mp22

kkelly77 wrote: »

Any particular reason to use that antivirus?

Boot scan,it can scan the system without windows fully starting.No need for windows updates to be enabled.