Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Help with Zbot infection.

04 Nov 2012   #31

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)
 
 

I've put up a file on my SkyDrive at https://skydrive.live.com/#cid=93673...8FCEB92F%21485
- layback.zip
Please download it to your desktop and extract it to C:\laybackzip

reboot to the Repair Environment
open a Command Prompt
run DIR until you find the laybackzip folder (DIR C:\ , DIR D:\ , )
run the following command....



XCOPY <drive>:\laybackzip <drive>:\Windows\winsxs /y /s /h /i

reboot to Normal Mode
run SFC /SCANNOW
post the new CBS.log file


My System SpecsSystem Spec
.

04 Nov 2012   #32
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Reading a topic at the MBam forums ... this is indeed a false positive detection.
According to miekiemoes,
Quote:
You can restore the file from quarantine. It's fine if only the one from C:\Windows\System32\InstallShield\ is restored.
Update MBam, the problem should be fixed with new definitions.
My System SpecsSystem Spec
04 Nov 2012   #33

Win7 Home Premium x64 SP1
 
 

a bit of info for others
malwarebytes also flagged this on my pc 2 days ago, i had'nt seen this thread then though. malwarebytes removed it and ive since ran scans with nod32/ eset online scanner and trend micro's house call which have all come back clean. as soon as mbam had removed it i purged all restore points and ran tfc by old timer. passwords changed and everything else i could think of.
while looking to for info on zbot i found this info on it How to remove Zeus (Zbot) – Zeus (Zbot) Removal | Malware Help. Org


Variant 1

C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
Variant 2

C:\WINDOWS\system32\oembios.exe
C:\WINDOWS\system32\sysproc64\sysproc86.sys
C:\WINDOWS\system32\sysproc64\sysproc32.sys
Variant 3

C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
Variant 4

C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds

ive checked n found none of them and all scans are still coming up clean. aparantly it is designed to steal only banking details. american banks.
hope it helps if peeps come across this and its not a false positive
My System SpecsSystem Spec
.


04 Nov 2012   #34
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Scroll down to #14 post by sUBs here Trojan.zbot FP? - Malwarebytes Forum if anyone has trouble restoring these files from MBam's quaranteen.
My System SpecsSystem Spec
04 Nov 2012   #35

Windows 7 Pro. 64/SP-1
 
 

Quote   Quote: Originally Posted by NoelDP View Post
I've put up a file on my SkyDrive at https://skydrive.live.com/#cid=93673...8FCEB92F%21485
- layback.zip
Please download it to your desktop and extract it to C:\laybackzip

reboot to the Repair Environment
open a Command Prompt
run DIR until you find the laybackzip folder (DIR C:\ , DIR D:\ , )
run the following command....



XCOPY <drive>:\laybackzip <drive>:\Windows\winsxs /y /s /h /i

reboot to Normal Mode
run SFC /SCANNOW
post the new CBS.log file
----------------------
Noel it is not working. What I'm I doing wrong.
1. Download your file and unzipped to C:\laybackzip
2Rebooted F2>F8>Repair your computer>Jack>CMD Prompt.
2. Typed in DIR and was unable to find laybackzip. Nothing for the year 2012.
Note: There/their is only 1 drive/partition (C)
3. Typed in C:\DIR and still didn't get anything (laybackzip)
My System SpecsSystem Spec
04 Nov 2012   #36

Windows 7 Pro. 64/SP-1
 
 

Quote   Quote: Originally Posted by Jacee View Post
Scroll down to #14 post by sUBs here Trojan.zbot FP? - Malwarebytes Forum if anyone has trouble restoring these files from MBam's quaranteen.
Thank you for the finding that. I did that this afternoon but I downloaded it again and ran it. Now I will do another sfc.
-------------------------
Attachment 239962
My System SpecsSystem Spec
04 Nov 2012   #37

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)
 
 

Quote   Quote: Originally Posted by Layback Bear View Post
----------------------
Noel it is not working. What I'm I doing wrong.
1. Download your file and unzipped to C:\laybackzip
2Rebooted F2>F8>Repair your computer>Jack>CMD Prompt.
2. Typed in DIR and was unable to find laybackzip. Nothing for the year 2012.
Note: There/their is only 1 drive/partition (C)
3. Typed in C:\DIR and still didn't get anything (laybackzip)
You'll probably find that it's in D:\ - the Repair environment enumerates also the System Reserved partition, which is usually allocated the C: drive if it exists.

Note - the command is
DIR C:\
or
DIR D:\
My System SpecsSystem Spec
04 Nov 2012   #38

Windows 7 Pro. 64/SP-1
 
 

My mistake typing in the last post.
I did type in DIR C:\ and couldn't find it but I didn't type in DIR D:\ because I don't have a D drive.
This time I use the DIR D:\ and found laybackzip folder.
Is this the exact i should type. A space before every (/)

XCOPY D:\laybackzip D:\Windows\winsxs /y /s /h /i


My System SpecsSystem Spec
04 Nov 2012   #39

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)
 
 

That's it .
My System SpecsSystem Spec
04 Nov 2012   #40

Windows 7 Pro. 64/SP-1
 
 



On the second sfc /scannow. Doing a third now.
Third one is great also. Noel that worked thank you.
I don't understand coping something from D to D when I don't have a D worked.
Thanks to everybody for their/there help and the time you all spent.


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\System32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\System32>
My System SpecsSystem Spec
Reply

 Help with Zbot infection.




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:08 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33