Avast WEBforum
Other => General Topics => Topic started by: Hermie on August 06, 2012, 09:14:26 AM
-
Hi guys, yesterday I did a scan with Malwarebytes Anti Malware which found spyware Zbot.out.
Three files I have put in guarantaine, and restarted the computer.
Then I did a start-up scan with Avast Free, nothing was detected.
This morning I deleted the MAM guarantianed files.
Is this enough, can I be sure that ZBOT OUT has been completely removed from my computer?
How to check to be sure?
-
were the 3 zbot files detected by avast! ??
-
No, the three files were detected by Malwarebytes Anti Malware.
What to do next, plse advice, thanks. (to get rid of any trojan)
-
@ Hermie,
I've alerted jeffce who is one of our resident malware removal specialists.
With a little patience on your part, he should be helping you soon.
Attaching the detection log from Malwarebytes would also be of help to jeffce :)
-
Hi Hermie,
If you were lucky, Spyware.Zbot.OUT was quarantined and deleted by MBAM. But we have to wait for a qualified removal expert to check your logs to see if this is indeed so,
polonus
-
Please post the MBAM log and we can go from there. :)
-
I wanna say thanks to bob3160, polonus and jeffce for their replies.
I have deleted the files detected by MAM, so I'm unable to post the files.
Positive: files detected by MAM were located at:
C:\Toshiba\Drivers\HD-DVDPlayer\DirectX\tdxinstall.exe
C:\Toshiba\Drivers\HD-DVDPlayer\nVdia\tdxinstall.exe
C:\Toshiba\Drivers\HD-DVDPlayerATI\tdxinstall.exe
Rescanning with MAM and Avast Free start-up scan did not detect any virus/trojan. Hurrah? Who knows.
-
When you open malwarebytes you find a log tab at the top
Find the log that show wat was detected an removed.....post that log
-
Hi Pondus, here we go:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Databaseversie: v2012.08.05.05
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Herman :: PC_VAN_EVI [administrator]
5-8-2012 14:34:26
mbam-log-2012-08-05 (14-34-26).txt
Scantype: Volledige scan (C:\|E:\|G:\|)
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 421983
Verstreken tijd: 1 uur/uren, 50 minuut/minuten, 53 seconde(n)
Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Bestanden gedetecteerd: 3 (THE THREE SETECTED FILES)C:\Toshiba\Drivers\HD-DVD Player\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Toshiba\Drivers\HD-DVD Player ATI\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Toshiba\Drivers\HD-DVD Player nVidia\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.
(einde)
-
To me that looks like it may be false positive........
But no way of checking that when you have deleted the files from malwarebytes quarantine
Wait and see what jeff have to say...
-
I'm now receiving spam like this one:
From: 杰 何 <hejie007200@yahoo.com.cn>
Message: hxxp://arab4x4.com/wp-content/themes/city/z6p39qkg.php
8/6/2012 7:23:12 AM
Chinese spam?
-
Hi Hernie,
Break that live link. Put in hxtp for http, please. IDS alert here: http://urlquery.net/report.php?id=116632
Malicious external elements: http://zulu.zscaler.com/submission/show/5741d26ade9a0561f49c76017683060f-1344278123
Script given, see: http://www.mywot.com/en/scorecard/greatworkinfo.com?utm_source=addon&utm_content=popup-donuts
spam site and spamming mail address specially created, see: http://www.mmm168.info/add/q442.txt
polonus
-
Of course I don't respond to any email messages from unknown persons.
Now up to the Zbot issue, how to check I'm still effected, how to eventually remove the trojan?
Thanks in advance I shall be looking forward hearing from you guys.
-
Hi,
Those look ok but lets send one to Virus Total.
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (http://www.virustotal.com)
Browse to the following and press Open (one at a time if more than one file is listed)
C:\Toshiba\Drivers\HD-DVD Player ATI\DirectX\tdxinstall.exe
Click "Scan It", wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
-
Thanks jeffce for your reply.
Strange, I can't find the exe files found by MAM anymore under the path listed on my computer.
Therefore I'm unable to check files with virustotal.com.
-
what is so strange about that.......in your first reply you say MBAM quarantined them.....and later you deleted the files from quarantine
Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm
-
Hi,
Sorry about that..... you did already remove those files so we can't check them now. Let's get a good look over and see what else might be there just in case.
Please visit the site located here (http://forum.avast.com/index.php?topic=53253.0). Follow the directions
for running OTL and aswMBR.exe and then attach the logs that are created to your next reply. :)
---------
-
Hi jeffce, here we go, OTL file see attachment.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-07 19:03:58
-----------------------------
19:03:58.561 OS Version: Windows 6.0.6002 Service Pack 2
19:03:58.561 Number of processors: 2 586 0xF0D
19:03:58.577 ComputerName: PC_VAN_EVI UserName: Herman
19:04:01.681 Initialize success
19:04:02.617 AVAST engine defs: 12080700
19:04:33.973 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:04:33.989 Disk 0 Vendor: FUJITSU_ 0040 Size: 114473MB BusType: 3
19:04:34.004 Disk 0 MBR read successfully
19:04:34.004 Disk 0 MBR scan
19:04:34.020 Disk 0 Windows VISTA default MBR code
19:04:34.020 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
19:04:34.051 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 57000 MB offset 3074048
19:04:34.082 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 55971 MB offset 119810048
19:04:34.098 Disk 0 scanning sectors +234438656
19:04:34.176 Disk 0 scanning C:\Windows\system32\drivers
19:04:48.466 Service scanning
19:05:14.284 Modules scanning
19:05:22.630 Disk 0 trace - called modules:
19:05:23.176 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
19:05:23.176 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b66288]
19:05:23.191 3 CLASSPNP.SYS[8891c8b3] -> nt!IofCallDriver -> [0x85f5a670]
19:05:23.207 5 acpi.sys[82e9d6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85a4d030]
19:05:23.956 AVAST engine scan C:\Windows
19:05:26.452 AVAST engine scan C:\Windows\system32
19:07:59.238 AVAST engine scan C:\Windows\system32\drivers
19:08:17.162 AVAST engine scan C:\Users\Herman
19:21:49.314 AVAST engine scan C:\ProgramData
19:25:37.885 Scan finished successfully
19:28:09.324 Disk 0 MBR has been saved successfully to "C:\Users\Herman\Desktop\MBR.dat"
19:28:09.340 The log file has been saved successfully to "C:\Users\Herman\Desktop\aswMBR.txt"
-
Looks pretty good so far....
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
-
Thanks pondus for your link about the MAM clean, quarantaine, delete issue.
Jeffce, OTL scan #1: all users selected, with your "text" used.
Rebooted the computer.
OTL scan #2: all users selected. without your "text" used.
Log OTL scan #2: see attachment.
-
Thanks pondus for your link about the MAM clean, quarantaine, delete issue.
nex time dont hurry so much with deleting whats in there....as it can do no harm from quarantine
when you delete you have no option left and can not check if the file where wrongly detected....and i suspect they where in this case, as the file path and name indicate a factory installed toshiba program
-
Pondus you're right, I know exactly what to do next time. Regards, Hermie
-
posted this in Malwarebytes forum, and they confirm it was a False Positive detection
so since you deleted from quarantine there is no way of restoring the files, meaning you must reinstall those files/programs to get them back.....if you need them
http://forums.malwarebytes.org/index.php?showtopic=113837
-
Hi,
If your Malwarebytes logs are coming up clean now than I think you are good to go. :)
-
Hello pondus and jeffce thanks for your replies.
Falls positive by MAM, mmm, it happens so now and then, though it should not happen.
Computer still runs perfectly.
I wanna say thanks to all members who responded to this thread, you all did a great job, THANK YOU.
Guess I have to add RESOLVED to the subject? Plse advice, thanks.