Help with Zbot infection.

Things are just crazy.
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f9fd5091a87fc94d999526271970b004
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-11-04 06:24:33
# local_time=2012-11-04 01:24:33 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776574 100 94 45884179 103595407 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=134259
# found=0
# cleaned=0
# scan_time=1515

Layback Bear said:

CanIHaz that is very good research and I thank you very much for time and concern you have. A few minutes ago I got CIMV2-0X800041003, WMI 10. They all might be caused by the same thing. I will investagate on the MAM site. Thanks again.

See this ... Here's how to Fix WMI Event ID 10, "InstanceModificationEven - MSFN Forum

This is weird!

I have already cleared the event log. It was caused by a Marvell driver MV91xx. I have to think on doing a registry edit from 2008.
I think what I'm going to do is reinstall Zbot from MAM quarantine and then run Eset scan again. It might put System Files back as they should be.

Okay a little update.
Put back Zbot from MAM quarantine.
Ran Eset online and came up clean.
Updated MAM and ran complete scan, clean.
Cleared event log again.
Used Windows Update and got and installed MSE update.
Ran sfc /scannow 3 times with reboots between each.
Ran Repair disc 3 times with reboots.
Checked sfc /scannow again, still has files that need corrected ever time I ran it.
---------------------------
I don't think I'm infected.
Updating MAM stopped the false positive Zbot.
Windows 7 is just unable to give a clean bill of health using sfc /scannow.
I'm out of ideas and need some more help. I haven't discovered anything that doesn't work as it should except SFC /SCANNOW. so far.
-----------------
I don't have passwords installed on this computer except auto sign in for this site. All my banking excreta are in my pea brain or my Rolodex.
Thanks for worrying.

Just before you found these two ZBots, did you uninstall something or install a game/open a PDFfile or?

Given how devious and prolific malware writers have become, anti-malware vendors (MSE, Avast!, MBAM, etc.) have had to step up their game as well to keep up with the bad guys. Unfortunately, this does mean that once in a while something slips through the net and is not picked up or something legitimate is picked up and wrongly identified as malware. There have been cases where some AV updates have been pulled by the vendor after being notified by several users that something was wrong.

Yes I was on this site when I got Zbot. I ticked on the now removed hyper link that was posted.
What is the weight of iso windows 7
---------------------
You are correct Dwarf. Malwarebytes corrected the problem the same day with a update.
Now all I have to do clean up the mess it left behind.

There's one consistent file error in the CBS.log

Code:

 
2012-11-01 20:48:12, Info                  CSI    000002ed [SR] Cannot repair member file [l:20{10}]"_isdel.exe" of Microsoft-Windows-InstallShield-WOW64-Main, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 (10), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2012-11-01 20:48:12, Info                  CSI    000002ee [SR] Cannot repair member file [l:20{10}]"_isdel.exe" of Microsoft-Windows-InstallShield-WOW64-Main, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 (10), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing

- which is a single file, where both file itself, and the WinSxS backup are corrupted.


I'll work up a fix for you.

Thank you Noel. I seen that but I'm quiet sure I don't want to fool with WinSxS without help. I can give you more logs if need be. Thank you all for coming to my rescue.