Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: Help with Zbot infection.

01 Nov 2012   #1

Windows 7 Pro. 64/SP-1
 
 
Help with Zbot infection.

I got infected with 2 Zbots.
Malware Bytes removed them.
Ran a scan with MBM again, still clean.
Ran a scan with Eset, still clean
Ran MSE clean.
Ran scan with SAS, clean.
Windows update still work.
Reboot after all.
Ran sfc 3 or 4 times with reboots after each.
Unable to correct files.
CBS LOGS are to big for uuload. I will see what I can do about that.

Attachment 239548
Hope this works.
A little update.
I did a system restore point and sfc /scannow and that problem is gone.
Doing more security scans at this time.
If anybody can read the log so we would know what Zbot messed with might be of some help to others later.
Another update.
You can not believe the hell I'm going through. After doing security scans again with Eset and MAM Zbot is back and sfc is not good.
MAM removed Zbot again and sfc is good again. Removed all restore points. Now I'm wiping free space and down loading Windows Defenders Off Line. Ran DOL clean.
SFC 3 more times, still problems.
MAM again, clean
Start Up Repair 4 times, 1 root cause still not fixed. I have run out of ideas.
CBS LOG.
CBS (2).zip



My System SpecsSystem Spec
.

01 Nov 2012   #2

Windows 7 Home Premium x64 SP1
 
 

I think its a false positive. One of my laptop picked it up but it was a clean install.

Was it a zbot from \installshield\_isdel.exe?
My System SpecsSystem Spec
01 Nov 2012   #3
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Bear, Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Make sure "proxy" settings aren't enabled!! You will also need to change all of your passwords, using another computer, that you know isn't infected.

About ZBot: http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)
My System SpecsSystem Spec
.


02 Nov 2012   #4

Windows 7 Pro. 64/SP-1
 
 

Infected were.
Windows System 32 installsheild
Windows\Winsxs\isdel.exe
----------------
Jacee I did as per your instructions. sfc /scannow is still a no go. Everything still seams to work okay. New log.
CBS (2).zip

Thank you both for your help.


My System SpecsSystem Spec
02 Nov 2012   #5
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

You should be good to go.
My System SpecsSystem Spec
02 Nov 2012   #6

Windows 7 Home Premium x64 SP1
 
 

Quote   Quote: Originally Posted by Layback Bear View Post
Infected were.
Windows System 32 installsheild
Windows\Winsxs\isdel.exe
----------------
Jacee I did as per your instructions. sfc /scannow is still a no go. Everything still seams to work okay. New log.
Attachment 239615

Thank you both for your help.
That's a false positive. MBAM picked it up on a my laptop with fresh install OS. Also i restored it from the other laptop which caught it first after finding out that it flagged my fresh new laptop.
My System SpecsSystem Spec
02 Nov 2012   #7

Windows 7 Pro. 64/SP-1
 
 

I run security scans at least once every 2 days and the Zbot was never there/their before. So I don't think it's a false positive. I have removed it. It's gone. My problem is getting sfc /scannow giving a clean bill of health. Between Normal and Safe mode I have run it over 20 times. If I give you a list of things I have done you would think I have been drinking to much.
--
I'm unable to run TFC in Normal or Safe mode. It just freezes my computer. I have removed and installed it 3 times. I have used Ccleaner, and Disc Cleaner Extended, and %temp% many times. Never before have I had a problem with sfc /scannow giving the system files a clean bill of health. Every time I run sfc /scannow the log gets bigger.
New cbs log.

Attachment 239710

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\System32>sfc /scannow

Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of th
em.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log

C:\Windows\System32>
My System SpecsSystem Spec
02 Nov 2012   #8
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Okay, download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply
After rebooting ensure your Security applications have been re-enabled.
My System SpecsSystem Spec
03 Nov 2012   #9

Windows 7 Ultimate x64 SP1
 
 

Quote   Quote: Originally Posted by Layback Bear View Post
I run security scans at least once every 2 days and the Zbot was never there/their before. So I don't think it's a false positive.

That only means it wasn't being picked up in the MBAM definitions as a false positive at that time, but is now. Happens all the time with false positives. Doesn't discount it as a FP like CanIHaz mentioned.
My System SpecsSystem Spec
03 Nov 2012   #10

Windows 7 Pro. 64/SP-1
 
 

Thank you Jacee. I have printed your instructions and will shift to my other computer.
I understand it could of been a false positive. That doesn't explain why after getting Zbot and removing it my System Files are not correct and will not allow them selfs to be corrected. That is my concern.
I do thank you all for your concerns and input.
My System SpecsSystem Spec
Reply

 Help with Zbot infection.





Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:06 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33