Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zbot and win32.agent.pz will not go away


  • Please log in to reply
1 reply to this topic

#1 andywagstaff

andywagstaff

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 11 December 2009 - 12:14 PM

Hello all..I hope dearly that someone here can help me...

I have no idea where it came from, but last week my laptop got caught by that antivirus live fake scanner prog thats out and about...I managed to get shot of it, but its left both win32.zbot and win32.Agent.pz behind.. Spybot S&D detects them, but they come back on reboot..So I have run combofix and SD Fix, but the little blighters are still there... Below is the log that SDfix came up with...Is there any solution other than a re-install?? Theres' nothing I cannot regain on the drive, so it won't break my back, but I haven't really the desire or time for a clean install at the mo...

I eagerly await your reply !!!

Andy W

HERE'S THE LOG

SDFix: Version 1.240
Run by Mr Woggle on 11/12/2009 at 14:29

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\MRWOGG~1\LOCALS~1\Temp\tmp6.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-11 15:16:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sports Interactive\\Football Manager 2010 Demo\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2010 Demo\\fm.exe:*:Enabled:Football Manager 2010 Demo"
"C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe:*:Enabled:Football Manager 2010"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 4 Nov 2009 1,168,216 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 10 Dec 2009 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Cache\av1.tmp"
Fri 11 Dec 2009 18,442,529 A..H. --- "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Cache\av4.tmp"

Finished!

BC AdBot (Login to Remove)

 


#2 andywagstaff

andywagstaff
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 11 December 2009 - 12:15 PM

Sorry I didnt see the bit at the top about not posting logs!!! Please reply though!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users