Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


0-day Trojan (zbot/hupigon/sdbot Variant) --- Needs Cleaning Script...

  • This topic is locked This topic is locked
2 replies to this topic

#1 Patience Limited

Patience Limited

  • Members
  • 2 posts
  • Local time:03:41 AM

Posted 02 October 2008 - 01:31 PM

My customer clicked on the bank_statement.zip e-mail attachment which started circulating 9/30. It seems likely that it's dropped another Trojan or two as well. This is an exceptionally nasty, stealthed package --- GMER and other rootkit tools find lots of kernel hook activity, but HiJackThis looks pretty clean, all the major virus scanners find nothing with current updates. [Avast! did block my download attempt, so the scanners are starting to catch up...]

See http://www.virustotal.com/analisis/056dc7e...8c1bc72bf0601a8, and http://www.threatexpert.com/report.aspx?ui...76-6fae34194ede for scans of the original infector.

In normal mode on an XP SP2 system, double-clicking on _any_ application starts it running as a background process, with no open window. The cursor passes under the Start Menu button, so it can't be opened or right-clicked. Right-click Properties don't work on anything else, either. It also boots without prompting for a logon. Anything launched from the Run line doesn't open a window either, e.g. services.msc.

In Safe Mode, applications can run and open windows normally, logon prompt is normal, etc. HiJackThis and GMER found an obvious infected file: utm3mzgz.sys in Win\System32\drivers, which I renamed from a boot disk, and I've disabled System Restore from the Registry. Unfortunately, I can only run GMER, HiJackThis, ComboFix, AVZ, Avast! etc. from Safe Mode (I do _not_ want to connect this box to the network again for current updates, either!), and they don't seem to be finding much. The normal mode inability to open applications persists.

All available scan logs are attached.

Attached Files

BC AdBot (Login to Remove)



#2 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:41 AM

Posted 13 October 2008 - 12:34 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTViewIt
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop. If you are using Windows Vista, right click the icon and select Run as Administrator.
  • Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Copy and Paste the logs into your next reply.
Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:41 AM

Posted 18 October 2008 - 09:21 AM


There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users