Jump to content

Recommended Posts

8:30am PST.


After spending a couple of days on a client's Zbot Cryptolocker removal and file restoration - the blocking of executables running from XP's %username%\Application Data\ folders and sub-folders was implemented through Group Policy.


As a test I just now copied notepad.exe from c:\windows into the \application data\ folder. But, Malwarebytes blocked this and called Zbot Crypto on notepad.exe - and Quarantined.


Next, Right Click notepad.exe and 'scan with malwarebytes' - no malware found?


Next, Delete notepad.exe from windows\ and windows\system32\ and replace with known good copy.


Next, copy good notepad.exe into %username%\application data\ again. Again, Malwarebytes calls Zbot Cryptolocker on the copy and quarantines.


Next, copy thunk??.exe into %username%\application data\ folder & run. Group Policy blocks the execution!


Whassup with copying notepad.exe from \windows into %username\application data\ ?



Link to post
Share on other sites

Not sure if your just testing things, but if the computer was/is infected it would be best to have an expert take a look under the hood to make sure the infection is completely gone...

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

Link to post
Share on other sites



Given the 10-page-or-so  bleepingcomputer Cryptolocker thread along with 2 full Malwarebyte scans and RootKit checks, I was thinking more like false positive but, your 2 comments "...take a look under the hood to make sure the infection is completely gone......" & "...Being that you are probably infected..." are duly heeded.


Thank you.

Link to post
Share on other sites

Well if you got help over at Bleepingcomputer, with clean up, and they gave you an all clean you should be good to go, if you still have that topic open over there, perhaps you can direct your question to the person that helped you, to avoid confusion and having two different experts helping you....

Link to post
Share on other sites


After spending a couple of days on a client's Zlob Cryptolocker


Sorry, you are confusing malware.


The Zlob trojan is not associated with the present renditions of crypto trojans. 


However there are ties to the Zeus Bot (aka; Zbot) network for distribution.


The Zlob and Zbot are not the same nor related.

Link to post
Share on other sites


Tx for that. Yes, Tom quickly clued me in to that after I'd followed FF's advice in his/her 1st post above.

I would assume that Malwarebytes Heuristics catches more than the notepad executable. They might like to add twains and thunks too!

I didn't want to post Tom's solution detail as I thought it might be too revealing... Mea Culpa apparently.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.