Author Topic: ZBOT OUT  (Read 8310 times)

0 Members and 1 Guest are viewing this topic.

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
ZBOT OUT
« on: August 06, 2012, 09:14:26 AM »
Hi guys, yesterday I did a scan with Malwarebytes Anti Malware which found spyware Zbot.out.
Three files I have put in guarantaine, and restarted the computer.
Then I did a start-up scan with Avast Free, nothing was detected.
This morning I deleted the MAM guarantianed files.
Is this enough, can I be sure that ZBOT OUT has been completely removed from my computer?
How to check to be sure?
 

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 712
  • A Good Old Indian!
Re: ZBOT OUT
« Reply #1 on: August 06, 2012, 10:16:18 AM »
were the 3 zbot files detected by avast! ??

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #2 on: August 06, 2012, 12:57:37 PM »
No, the three files were detected by Malwarebytes Anti Malware.
What to do next, plse advice, thanks. (to get rid of any trojan)

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 41986
  • 59 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: ZBOT OUT
« Reply #3 on: August 06, 2012, 03:17:29 PM »
@ Hermie,
I've alerted jeffce who is one of our resident malware removal specialists.
With a little patience on your part, he should be helping you soon.
Attaching the detection log from Malwarebytes would also be of help to jeffce :)
« Last Edit: August 06, 2012, 03:34:41 PM by bob3160 »
Free avast! Security Seminar: https://goo.gl/kh3cqR  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1903 64bit, 8 Gig Ram, AvastFree 19.6.xxxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31972
  • malware fighter
Re: ZBOT OUT
« Reply #4 on: August 06, 2012, 03:26:09 PM »
Hi Hermie,

If you were lucky, Spyware.Zbot.OUT was quarantined and deleted by MBAM. But we have to wait for a qualified removal expert to check your logs to see if this is indeed so,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: ZBOT OUT
« Reply #5 on: August 06, 2012, 05:25:11 PM »
Please post the MBAM log and we can go from there.  :)

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #6 on: August 06, 2012, 07:18:43 PM »
I wanna say thanks to bob3160, polonus and jeffce for their replies.
I have deleted the files detected by MAM, so I'm unable to post the files.
Positive: files detected by MAM were located at:
C:\Toshiba\Drivers\HD-DVDPlayer\DirectX\tdxinstall.exe
C:\Toshiba\Drivers\HD-DVDPlayer\nVdia\tdxinstall.exe
C:\Toshiba\Drivers\HD-DVDPlayerATI\tdxinstall.exe
Rescanning with MAM and Avast Free start-up scan did not detect any virus/trojan. Hurrah? Who knows.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36325
  • Weihrauch Airguns
Re: ZBOT OUT
« Reply #7 on: August 06, 2012, 07:24:11 PM »
When you open malwarebytes you find a log tab at the top
Find the log that show wat was detected an removed.....post that log

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #8 on: August 06, 2012, 07:41:58 PM »
Hi Pondus, here we go:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Databaseversie: v2012.08.05.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Herman :: PC_VAN_EVI [administrator]

5-8-2012 14:34:26
mbam-log-2012-08-05 (14-34-26).txt

Scantype: Volledige scan (C:\|E:\|G:\|)
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 421983
Verstreken tijd: 1 uur/uren, 50 minuut/minuten, 53 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 3 (THE THREE SETECTED FILES)C:\Toshiba\Drivers\HD-DVD Player\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Toshiba\Drivers\HD-DVD Player ATI\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Toshiba\Drivers\HD-DVD Player nVidia\DirectX\tdxinstall.exe (Spyware.Zbot.OUT) -> Succesvol in quarantaine geplaatst en verwijderd.

(einde)

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36325
  • Weihrauch Airguns
Re: ZBOT OUT
« Reply #9 on: August 06, 2012, 07:52:08 PM »
To me that looks like it may be false positive........
But no way of checking that when you have deleted the files from malwarebytes quarantine

Wait and see what jeff have to say...

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #10 on: August 06, 2012, 08:18:28 PM »
I'm now receiving spam like this one:

From: 杰 何 <hejie007200@yahoo.com.cn>
Message: hxxp://arab4x4.com/wp-content/themes/city/z6p39qkg.php
8/6/2012 7:23:12 AM

Chinese spam?
« Last Edit: August 07, 2012, 12:02:23 AM by igor »

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31972
  • malware fighter
Re: ZBOT OUT
« Reply #11 on: August 06, 2012, 08:49:02 PM »
Hi Hernie,

Break that live link. Put in hxtp for http, please. IDS alert here: http://urlquery.net/report.php?id=116632
Malicious external elements: http://zulu.zscaler.com/submission/show/5741d26ade9a0561f49c76017683060f-1344278123
Script given, see: http://www.mywot.com/en/scorecard/greatworkinfo.com?utm_source=addon&utm_content=popup-donuts
spam site and spamming mail address specially created, see: http://www.mmm168.info/add/q442.txt

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #12 on: August 06, 2012, 09:46:50 PM »
Of course I don't respond to any email messages from unknown persons.
Now up to the Zbot issue, how to check I'm still effected, how to eventually remove the trojan?
Thanks in advance I shall be looking forward hearing from you guys.

Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: ZBOT OUT
« Reply #13 on: August 06, 2012, 11:21:22 PM »
Hi,

Those look ok but lets send one to Virus Total.

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal

Browse to the following and press Open  (one at a time if more than one file is listed)

C:\Toshiba\Drivers\HD-DVD Player ATI\DirectX\tdxinstall.exe


Click "Scan It", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------


Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #14 on: August 07, 2012, 08:37:54 AM »
Thanks jeffce for your reply.
Strange, I can't find the exe files found by MAM anymore under the path listed on my computer.
Therefore I'm unable to check files with virustotal.com.