Help with Zbot infection.
-
Help with Zbot infection.
I got infected with 2 Zbots.
Malware Bytes removed them.
Ran a scan with MBM again, still clean.
Ran a scan with Eset, still clean
Ran MSE clean.
Ran scan with SAS, clean.
Windows update still work.
Reboot after all.
Ran sfc 3 or 4 times with reboots after each.
Unable to correct files.
CBS LOGS are to big for uuload. I will see what I can do about that.
Attachment 239548
Hope this works.
A little update.
I did a system restore point and sfc /scannow and that problem is gone.
Doing more security scans at this time.
If anybody can read the log so we would know what Zbot messed with might be of some help to others later.
Another update.
You can not believe the hell I'm going through. After doing security scans again with Eset and MAM Zbot is back and sfc is not good.
MAM removed Zbot again and sfc is good again. Removed all restore points. Now I'm wiping free space and down loading Windows Defenders Off Line. Ran DOL clean.
SFC 3 more times, still problems.
MAM again, clean
Start Up Repair 4 times, 1 root cause still not fixed. I have run out of ideas.
CBS LOG.
Attachment 239571
Last edited by Layback Bear; 01 Nov 2012 at 23:34.
-
-
I think its a false positive. One of my laptop picked it up but it was a clean install.
Was it a zbot from \installshield\_isdel.exe?
-
Bear, Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.
Make sure "proxy" settings aren't enabled!! You will also need to change all of your passwords, using another computer, that you know isn't infected.
About ZBot: http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)
-
-
Infected were.
Windows System 32 installsheild
Windows\Winsxs\isdel.exe
----------------
Jacee I did as per your instructions. sfc /scannow is still a no go. Everything still seams to work okay. New log.
Attachment 239615
Thank you both for your help.
-
Download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
You should be good to go.
-
Infected were.
Windows System 32 installsheild
Windows\Winsxs\isdel.exe
----------------
Jacee I did as per your instructions. sfc /scannow is still a no go. Everything still seams to work okay. New log.
Attachment 239615
Thank you both for your help.
That's a false positive. MBAM picked it up on a my laptop with fresh install OS. Also i restored it from the other laptop which caught it first after finding out that it flagged my fresh new laptop.
-
-
I run security scans at least once every 2 days and the Zbot was never there/their before. So I don't think it's a false positive. I have removed it. It's gone. My problem is getting sfc /scannow giving a clean bill of health. Between Normal and Safe mode I have run it over 20 times. If I give you a list of things I have done you would think I have been drinking to much.
--
I'm unable to run TFC in Normal or Safe mode. It just freezes my computer. I have removed and installed it 3 times. I have used Ccleaner, and Disc Cleaner Extended, and %temp% many times. Never before have I had a problem with sfc /scannow giving the system files a clean bill of health. Every time I run sfc /scannow the log gets bigger.
New cbs log.
Attachment 239710
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\System32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of th
em.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log
C:\Windows\System32>
-
Okay, download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3
Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
- Double click combofix.exe and follow the prompts.
- When finished, it will produce a log for you.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply
After rebooting ensure your Security applications have been re-enabled.
-
I run security scans at least once every 2 days and the Zbot was never there/their before. So I don't think it's a false positive.
That only means it wasn't being picked up in the MBAM definitions as a false positive at that time, but is now. Happens all the time with false positives. Doesn't discount it as a FP like CanIHaz mentioned.
-
Thank you Jacee. I have printed your instructions and will shift to my other computer.
I understand it could of been a false positive. That doesn't explain why after getting Zbot and removing it my System Files are not correct and will not allow them selfs to be corrected. That is my concern.
I do thank you all for your concerns and input.
Last edited by Layback Bear; 03 Nov 2012 at 00:57.