Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32.zbot or worse


  • This topic is locked This topic is locked
5 replies to this topic

#1 thebronze1

thebronze1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 10 March 2010 - 05:32 PM

On March 5, we caught a Win32.zbot virus as reported by Spybot search and destroy.

Removed it and it came back. Turned off system restore and re-scanned with Malwarebytes and some 20 files were infected (log attached).

Removed the drive from the computer and slaved it to another drive in a different computer. Rescanned with Malwarebytes and four files with Rootkit agent virus. Files quarantined and removed.

Files Infected:
C:\WINDOWS\Temp\4DW4R3176e2b (Rootkit.Agent) -> quarantined and deleted successfully.
C:\WINDOWS\Temp\4DW4R32e540b (Rootkit.Agent) -> quarantined and deleted successfully.
C:\WINDOWS\Temp\4DW4R34539dc (Rootkit.Agent) -> quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat (Rootkit.Agent) -> quarantined and deleted successfully.

Scanned again and nothing turned up so I thought we were clean.

I then tried Superantispyware as a precaution on the same slaved drive the next morning and Superantispyware found four infected files (
Rootkit.Agent/Gen-4DW4R3). Infection removed.

Scanned again and found some typical trash Adaware stuff.

Purchased Malwarebytes so I could get the IP blocking feature and since then we have had a tremendous number of blocked IP reports from Malwarebytes. Now I know there is such a thing as false positives, but this is happening when there is no open Internet connection running at the time and I am guessing (hopefully incorrectly) that something inside the computer is trying to reach out to the sites. Tried running TCPview and process explorer to see what was running at the time of the report of the blocked IP's. One is coming from the UK 88.214.200.231, 88.214.204.180 and some are from a hosting company in New Jersey 64.111.196.126
, 64.111.196.114

I have run dds and gmer and am attaching both logs.

I have also used the Kapersky ZBot killer - unhookexec and F-secure blacklight rootkit eliminator.

Is there something going on still, and it's time to wipe the drive and start over, or have we gotten rid of the issue and the Malwarebytes is blocking something innocuous?

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 13 March 2010 - 09:14 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 thebronze1

thebronze1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 14 March 2010 - 01:32 PM

I will be back at work tomorrow and will provide you with all the information you requested.

In truth, I had already been forced to create a new box for the user so she could get back on line and doing the company's banking, but her infected computer still exists and is off line so as not to infect anyone or anything else.

Because of the depth to which I went to exorcise this demon, I really would still like to pursue its removal from her old computer, if nothing else so as to provide a case history of this particularly Nasty virus. It is the only one I have ever seen that defied removal by so many of the softwares and techniques I used to eliminate it.

I will send you the information tomorrow.

Thanks you for your help.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 15 March 2010 - 09:28 PM

ok, i'll keep an eye out.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 20 March 2010 - 06:48 AM

still there?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 25 March 2010 - 12:22 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users