Help with Zbot infection.
-
I've put up a file on my SkyDrive at https://skydrive.live.com/#cid=93673...8FCEB92F%21485
- layback.zip
Please download it to your desktop and extract it to C:\laybackzip
reboot to the Repair Environment
open a Command Prompt
run DIR until you find the laybackzip folder (DIR C:\ , DIR D:\ , )
run the following command....
XCOPY <drive>:\laybackzip <drive>:\Windows\winsxs /y /s /h /i
reboot to Normal Mode
run SFC /SCANNOW
post the new CBS.log file
-
-
Reading a topic at the MBam forums ... this is indeed a false positive detection.
According to miekiemoes,
You can restore the file from quarantine. It's fine if only the one from C:\Windows\System32\InstallShield\ is restored.
Update MBam, the problem should be fixed with new definitions.
-
a bit of info for others
malwarebytes also flagged this on my pc 2 days ago, i had'nt seen this thread then though. malwarebytes removed it and ive since ran scans with nod32/ eset online scanner and trend micro's house call which have all come back clean. as soon as mbam had removed it i purged all restore points and ran tfc by old timer. passwords changed and everything else i could think of.
while looking to for info on zbot i found this info on it How to remove Zeus (Zbot) – Zeus (Zbot) Removal | Malware Help. Org
Variant 1
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
Variant 2
C:\WINDOWS\system32\oembios.exe
C:\WINDOWS\system32\sysproc64\sysproc86.sys
C:\WINDOWS\system32\sysproc64\sysproc32.sys
Variant 3
C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
Variant 4
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
ive checked n found none of them and all scans are still coming up clean. aparantly it is designed to steal only banking details. american banks.
hope it helps if peeps come across this and its not a false positive
-
-
-
I've put up a file on my SkyDrive at
https://skydrive.live.com/#cid=93673...8FCEB92F%21485
- layback.zip
Please download it to your desktop and extract it to C:\laybackzip
reboot to the Repair Environment
open a Command Prompt
run DIR until you find the
laybackzip folder (DIR C:\ , DIR D:\ , )
run the following command....
XCOPY <drive>:\laybackzip <drive>:\Windows\winsxs /y /s /h /i
reboot to Normal Mode
run SFC /SCANNOW
post the new CBS.log file
----------------------
Noel it is not working. What I'm I doing wrong.
1. Download your file and unzipped to C:\laybackzip
2Rebooted F2>F8>Repair your computer>Jack>CMD Prompt.
2. Typed in DIR and was unable to find laybackzip. Nothing for the year 2012.
Note: There/their is only 1 drive/partition (C)
3. Typed in C:\DIR and still didn't get anything (laybackzip)
-
Thank you for the finding that. I did that this afternoon but I downloaded it again and ran it. Now I will do another sfc.
-------------------------
Attachment 239962
-
-
----------------------
Noel it is not working. What I'm I doing wrong.
1. Download your file and unzipped to C:\laybackzip
2Rebooted F2>F8>Repair your computer>Jack>CMD Prompt.
2. Typed in DIR and was unable to find laybackzip. Nothing for the year 2012.
Note: There/their is only 1 drive/partition (C)
3. Typed in C:\DIR and still didn't get anything (laybackzip)
You'll probably find that it's in D:\ - the Repair environment enumerates also the System Reserved partition, which is usually allocated the C: drive if it exists.
Note - the command is
DIR C:\
or
DIR D:\
-
My mistake typing in the last post.
I did type in DIR C:\ and couldn't find it but I didn't type in DIR D:\ because I don't have a D drive.
This time I use the DIR D:\ and found laybackzip folder.
Is this the exact i should type. A space before every (/)
XCOPY D:\laybackzip D:\Windows\winsxs /y /s /h /i
-
-
On the second sfc /scannow. Doing a third now.
Third one is great also. Noel that worked thank you.
I don't understand coping something from D to D when I don't have a D worked.
Thanks to everybody for their/there help and the time you all spent.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\System32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection did not find any integrity violations.
C:\Windows\System32>