Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Help with Zbot infection.

04 Nov 2012   #31
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)
 
 

I've put up a file on my SkyDrive at https://skydrive.live.com/#cid=93673...8FCEB92F%21485
- layback.zip
Please download it to your desktop and extract it to C:\laybackzip

reboot to the Repair Environment
open a Command Prompt
run DIR until you find the laybackzip folder (DIR C:\ , DIR D:\ , )
run the following command....



XCOPY <drive>:\laybackzip <drive>:\Windows\winsxs /y /s /h /i

reboot to Normal Mode
run SFC /SCANNOW
post the new CBS.log file


My System SpecsSystem Spec
.

04 Nov 2012   #32
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Reading a topic at the MBam forums ... this is indeed a false positive detection.
According to miekiemoes,
Quote:
You can restore the file from quarantine. It's fine if only the one from C:\Windows\System32\InstallShield\ is restored.
Update MBam, the problem should be fixed with new definitions.
My System SpecsSystem Spec
04 Nov 2012   #33
ganjiry

Win7 Home Premium x64 SP1
 
 

a bit of info for others
malwarebytes also flagged this on my pc 2 days ago, i had'nt seen this thread then though. malwarebytes removed it and ive since ran scans with nod32/ eset online scanner and trend micro's house call which have all come back clean. as soon as mbam had removed it i purged all restore points and ran tfc by old timer. passwords changed and everything else i could think of.
while looking to for info on zbot i found this info on it How to remove Zeus (Zbot) – Zeus (Zbot) Removal | Malware Help. Org


Variant 1

C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
Variant 2

C:\WINDOWS\system32\oembios.exe
C:\WINDOWS\system32\sysproc64\sysproc86.sys
C:\WINDOWS\system32\sysproc64\sysproc32.sys
Variant 3

C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
Variant 4

C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds

ive checked n found none of them and all scans are still coming up clean. aparantly it is designed to steal only banking details. american banks.
hope it helps if peeps come across this and its not a false positive
My System SpecsSystem Spec
.


04 Nov 2012   #34
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Scroll down to #14 post by sUBs here Trojan.zbot FP? - Malwarebytes Forum if anyone has trouble restoring these files from MBam's quaranteen.
My System SpecsSystem Spec
04 Nov 2012   #35
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

Quote   Quote: Originally Posted by NoelDP View Post
I've put up a file on my SkyDrive at https://skydrive.live.com/#cid=93673...8FCEB92F%21485
- layback.zip
Please download it to your desktop and extract it to C:\laybackzip

reboot to the Repair Environment
open a Command Prompt
run DIR until you find the laybackzip folder (DIR C:\ , DIR D:\ , )
run the following command....



XCOPY <drive>:\laybackzip <drive>:\Windows\winsxs /y /s /h /i

reboot to Normal Mode
run SFC /SCANNOW
post the new CBS.log file
----------------------
Noel it is not working. What I'm I doing wrong.
1. Download your file and unzipped to C:\laybackzip
2Rebooted F2>F8>Repair your computer>Jack>CMD Prompt.
2. Typed in DIR and was unable to find laybackzip. Nothing for the year 2012.
Note: There/their is only 1 drive/partition (C)
3. Typed in C:\DIR and still didn't get anything (laybackzip)
My System SpecsSystem Spec
04 Nov 2012   #36
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

Quote   Quote: Originally Posted by Jacee View Post
Scroll down to #14 post by sUBs here Trojan.zbot FP? - Malwarebytes Forum if anyone has trouble restoring these files from MBam's quaranteen.
Thank you for the finding that. I did that this afternoon but I downloaded it again and ran it. Now I will do another sfc.
-------------------------
Attachment 239962
My System SpecsSystem Spec
04 Nov 2012   #37
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)
 
 

Quote   Quote: Originally Posted by Layback Bear View Post
----------------------
Noel it is not working. What I'm I doing wrong.
1. Download your file and unzipped to C:\laybackzip
2Rebooted F2>F8>Repair your computer>Jack>CMD Prompt.
2. Typed in DIR and was unable to find laybackzip. Nothing for the year 2012.
Note: There/their is only 1 drive/partition (C)
3. Typed in C:\DIR and still didn't get anything (laybackzip)
You'll probably find that it's in D:\ - the Repair environment enumerates also the System Reserved partition, which is usually allocated the C: drive if it exists.

Note - the command is
DIR C:\
or
DIR D:\
My System SpecsSystem Spec
04 Nov 2012   #38
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

My mistake typing in the last post.
I did type in DIR C:\ and couldn't find it but I didn't type in DIR D:\ because I don't have a D drive.
This time I use the DIR D:\ and found laybackzip folder.
Is this the exact i should type. A space before every (/)

XCOPY D:\laybackzip D:\Windows\winsxs /y /s /h /i


My System SpecsSystem Spec
04 Nov 2012   #39
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)
 
 

That's it .
My System SpecsSystem Spec
04 Nov 2012   #40
Layback Bear

Windows 7 Pro. 64/SP-1
 
 



On the second sfc /scannow. Doing a third now.
Third one is great also. Noel that worked thank you.
I don't understand coping something from D to D when I don't have a D worked.
Thanks to everybody for their/there help and the time you all spent.


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\System32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\System32>
My System SpecsSystem Spec
Reply

 Help with Zbot infection.




Thread Tools





Similar help and support threads
Thread Forum
No thumbnails appearing... Might be infected with Trojan.Zbot. Help!
So a few days ago I started getting notifications from my norton AV saying it blocked an attempted attack by 'Trojan.Zbot'. Not too long after that I started to notice windows explorer acting very strange. No thumbnails would appear for pictures.. No previews... Couldn't empty recycling...
System Security
Password protected Zbot malware in the wild
Source A Guy
Security News
Battling the Zbot Threat
Battling the Zbot Threat (with MSRT) - Microsoft Malware Protection Center - Site Home - TechNet Blogs
Security News
An Early Look at the Impact of MSRT on Zbot
MSRT is Malicious Software Removal Tool. Remember those Tuesday updates? This is one of them is accomplishing. An Early Look at the Impact of MSRT on Zbot An Early Look at the Impact of MSRT on Zbot - Microsoft Malware Protection Center - Site Home - TechNet Blogs
News
Zbot, the botnet in a box
Source - MSRT on Zbot, the botnet in a box - Microsoft Malware Protection Center - Site Home - TechNet Blogs
Security News
Zbot Desperately Seeking AIM Users.
Source - Zbot Desperately Seeking AIM Users | Business Computing World
Security News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 15:03.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App