Avast WEBforum

Other => General Topics => Topic started by: Hermie on August 06, 2012, 09:14:26 AM

Title: ZBOT OUT
Post by: Hermie on August 06, 2012, 09:14:26 AM
Hi guys, yesterday I did a scan with Malwarebytes Anti Malware which found spyware Zbot.out.
Three files I have put in guarantaine, and restarted the computer.
Then I did a start-up scan with Avast Free, nothing was detected.
This morning I deleted the MAM guarantianed files.
Is this enough, can I be sure that ZBOT OUT has been completely removed from my computer?
How to check to be sure?
 
Title: Re: ZBOT OUT
Post by: true indian on August 06, 2012, 10:16:18 AM
were the 3 zbot files detected by avast! ??
Title: Re: ZBOT OUT
Post by: Hermie on August 06, 2012, 12:57:37 PM
No, the three files were detected by Malwarebytes Anti Malware.
What to do next, plse advice, thanks. (to get rid of any trojan)
Title: Re: ZBOT OUT
Post by: bob3160 on August 06, 2012, 03:17:29 PM
@ Hermie,
I've alerted jeffce who is one of our resident malware removal specialists.
With a little patience on your part, he should be helping you soon.
Attaching the detection log from Malwarebytes would also be of help to jeffce :)
Title: Re: ZBOT OUT
Post by: polonus on August 06, 2012, 03:26:09 PM
Hi Hermie,

If you were lucky, Spyware.Zbot.OUT was quarantined and deleted by MBAM. But we have to wait for a qualified removal expert to check your logs to see if this is indeed so,

polonus
Title: Re: ZBOT OUT
Post by: jeffce on August 06, 2012, 05:25:11 PM
Please post the MBAM log and we can go from there.  :)
Title: Re: ZBOT OUT
Post by: Hermie on August 06, 2012, 07:18:43 PM
I wanna say thanks to bob3160, polonus and jeffce for their replies.
I have deleted the files detected by MAM, so I'm unable to post the files.
Positive: files detected by MAM were located at:
C:\Toshiba\Drivers\HD-DVDPlayer\DirectX\tdxinstall.exe
C:\Toshiba\Drivers\HD-DVDPlayer\nVdia\tdxinstall.exe
C:\Toshiba\Drivers\HD-DVDPlayerATI\tdxinstall.exe
Rescanning with MAM and Avast Free start-up scan did not detect any virus/trojan. Hurrah? Who knows.
Title: Re: ZBOT OUT
Post by: Pondus on August 06, 2012, 07:24:11 PM
When you open malwarebytes you find a log tab at the top
Find the log that show wat was detected an removed.....post that log
Title: Re: ZBOT OUT
Post by: Hermie on August 06, 2012, 07:41:58 PM
Hi Pondus, here we go:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Databaseversie: v2012.08.05.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Herman :: PC_VAN_EVI [administrator]

5-8-2012 14:34:26
mbam-log-2012-08-05 (14-34-26).txt

Scantype: Volledige scan (C:\|E:\|G:\|)
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 421983
Verstreken tijd: 1 uur/uren, 50 minuut/minuten, 53 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 3 (THE THREE SETECTED FILES)C:\Toshiba\Drivers\HD-DVD Player\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Toshiba\Drivers\HD-DVD Player ATI\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Toshiba\Drivers\HD-DVD Player nVidia\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.

(einde)
Title: Re: ZBOT OUT
Post by: Pondus on August 06, 2012, 07:52:08 PM
To me that looks like it may be false positive........
But no way of checking that when you have deleted the files from malwarebytes quarantine

Wait and see what jeff have to say...
Title: Re: ZBOT OUT
Post by: Hermie on August 06, 2012, 08:18:28 PM
I'm now receiving spam like this one:

From: 杰 何 <hejie007200@yahoo.com.cn>
Message: hxxp://arab4x4.com/wp-content/themes/city/z6p39qkg.php
8/6/2012 7:23:12 AM

Chinese spam?
Title: Re: ZBOT OUT
Post by: polonus on August 06, 2012, 08:49:02 PM
Hi Hernie,

Break that live link. Put in hxtp for http, please. IDS alert here: http://urlquery.net/report.php?id=116632
Malicious external elements: http://zulu.zscaler.com/submission/show/5741d26ade9a0561f49c76017683060f-1344278123
Script given, see: http://www.mywot.com/en/scorecard/greatworkinfo.com?utm_source=addon&utm_content=popup-donuts
spam site and spamming mail address specially created, see: http://www.mmm168.info/add/q442.txt

polonus
Title: Re: ZBOT OUT
Post by: Hermie on August 06, 2012, 09:46:50 PM
Of course I don't respond to any email messages from unknown persons.
Now up to the Zbot issue, how to check I'm still effected, how to eventually remove the trojan?
Thanks in advance I shall be looking forward hearing from you guys.
Title: Re: ZBOT OUT
Post by: jeffce on August 06, 2012, 11:21:22 PM
Hi,

Those look ok but lets send one to Virus Total.

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal (http://www.virustotal.com)

Browse to the following and press Open  (one at a time if more than one file is listed)

C:\Toshiba\Drivers\HD-DVD Player ATI\DirectX\tdxinstall.exe


Click "Scan It", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

Title: Re: ZBOT OUT
Post by: Hermie on August 07, 2012, 08:37:54 AM
Thanks jeffce for your reply.
Strange, I can't find the exe files found by MAM anymore under the path listed on my computer.
Therefore I'm unable to check files with virustotal.com.
Title: Re: ZBOT OUT
Post by: Pondus on August 07, 2012, 09:32:01 AM
what is so strange about that.......in your first reply you say MBAM quarantined them.....and later you deleted the files from quarantine


Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm
Title: Re: ZBOT OUT
Post by: jeffce on August 07, 2012, 01:30:20 PM
Hi,

Sorry about that..... you did already remove those files so we can't check them now.  Let's get a good look over and see what else might be there just in case.

Please visit the site located here (http://forum.avast.com/index.php?topic=53253.0).  Follow the directions
for running OTL and aswMBR.exe and then attach the logs that are created to your next reply.  :)

---------
Title: Re: ZBOT OUT
Post by: Hermie on August 07, 2012, 07:37:14 PM
Hi jeffce, here we go, OTL file see attachment.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-07 19:03:58
-----------------------------
19:03:58.561    OS Version: Windows 6.0.6002 Service Pack 2
19:03:58.561    Number of processors: 2 586 0xF0D
19:03:58.577    ComputerName: PC_VAN_EVI  UserName: Herman
19:04:01.681    Initialize success
19:04:02.617    AVAST engine defs: 12080700
19:04:33.973    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:04:33.989    Disk 0 Vendor: FUJITSU_ 0040 Size: 114473MB BusType: 3
19:04:34.004    Disk 0 MBR read successfully
19:04:34.004    Disk 0 MBR scan
19:04:34.020    Disk 0 Windows VISTA default MBR code
19:04:34.020    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
19:04:34.051    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        57000 MB offset 3074048
19:04:34.082    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        55971 MB offset 119810048
19:04:34.098    Disk 0 scanning sectors +234438656
19:04:34.176    Disk 0 scanning C:\Windows\system32\drivers
19:04:48.466    Service scanning
19:05:14.284    Modules scanning
19:05:22.630    Disk 0 trace - called modules:
19:05:23.176    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
19:05:23.176    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b66288]
19:05:23.191    3 CLASSPNP.SYS[8891c8b3] -> nt!IofCallDriver -> [0x85f5a670]
19:05:23.207    5 acpi.sys[82e9d6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85a4d030]
19:05:23.956    AVAST engine scan C:\Windows
19:05:26.452    AVAST engine scan C:\Windows\system32
19:07:59.238    AVAST engine scan C:\Windows\system32\drivers
19:08:17.162    AVAST engine scan C:\Users\Herman
19:21:49.314    AVAST engine scan C:\ProgramData
19:25:37.885    Scan finished successfully
19:28:09.324    Disk 0 MBR has been saved successfully to "C:\Users\Herman\Desktop\MBR.dat"
19:28:09.340    The log file has been saved successfully to "C:\Users\Herman\Desktop\aswMBR.txt"


Title: Re: ZBOT OUT
Post by: jeffce on August 08, 2012, 05:06:53 AM
Looks pretty good so far.... 

Run OTL.exe
Code: [Select]
:Services

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
----------
Title: Re: ZBOT OUT
Post by: Hermie on August 08, 2012, 10:21:11 AM
Thanks pondus for your link about the MAM clean, quarantaine, delete issue.

Jeffce, OTL scan #1: all users selected, with your "text" used.

Rebooted the computer.

OTL scan #2: all users selected. without your "text" used.

Log OTL scan #2: see attachment.



 
Title: Re: ZBOT OUT
Post by: Pondus on August 08, 2012, 10:33:41 AM
Quote
Thanks pondus for your link about the MAM clean, quarantaine, delete issue.
nex time dont hurry so much with deleting whats in there....as it can do no harm from quarantine
when you delete you have no option left and can not check if the file where wrongly detected....and i suspect they where in this case, as the file path and name indicate a factory installed toshiba program
Title: Re: ZBOT OUT
Post by: Hermie on August 08, 2012, 11:07:34 AM
Pondus you're right, I know exactly what to do next time. Regards, Hermie
Title: Re: ZBOT OUT
Post by: Pondus on August 08, 2012, 12:23:04 PM
posted this in Malwarebytes forum, and they confirm it was a False Positive detection
so since you deleted from quarantine there is no way of restoring the files, meaning you must reinstall those files/programs to get them back.....if you need them


http://forums.malwarebytes.org/index.php?showtopic=113837

Title: Re: ZBOT OUT
Post by: jeffce on August 08, 2012, 01:49:09 PM
Hi,

If your Malwarebytes logs are coming up clean now than I think you are good to go.  :)
Title: Re: ZBOT OUT
Post by: Hermie on August 08, 2012, 07:35:00 PM
Hello pondus and jeffce thanks for your replies.
Falls positive by MAM, mmm, it happens so now and then, though it should not happen.
Computer still runs perfectly.
I wanna say thanks to all members who responded to this thread, you all did a great job, THANK YOU.
Guess I have to add RESOLVED to the subject? Plse advice, thanks.