Author Topic: ZBOT OUT  (Read 8164 times)

0 Members and 1 Guest are viewing this topic.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35972
Re: ZBOT OUT
« Reply #15 on: August 07, 2012, 09:32:01 AM »
what is so strange about that.......in your first reply you say MBAM quarantined them.....and later you deleted the files from quarantine


Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: ZBOT OUT
« Reply #16 on: August 07, 2012, 01:30:20 PM »
Hi,

Sorry about that..... you did already remove those files so we can't check them now.  Let's get a good look over and see what else might be there just in case.

Please visit the site located here.  Follow the directions
for running OTL and aswMBR.exe and then attach the logs that are created to your next reply.  :)

---------

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #17 on: August 07, 2012, 07:37:14 PM »
Hi jeffce, here we go, OTL file see attachment.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-07 19:03:58
-----------------------------
19:03:58.561    OS Version: Windows 6.0.6002 Service Pack 2
19:03:58.561    Number of processors: 2 586 0xF0D
19:03:58.577    ComputerName: PC_VAN_EVI  UserName: Herman
19:04:01.681    Initialize success
19:04:02.617    AVAST engine defs: 12080700
19:04:33.973    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:04:33.989    Disk 0 Vendor: FUJITSU_ 0040 Size: 114473MB BusType: 3
19:04:34.004    Disk 0 MBR read successfully
19:04:34.004    Disk 0 MBR scan
19:04:34.020    Disk 0 Windows VISTA default MBR code
19:04:34.020    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
19:04:34.051    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        57000 MB offset 3074048
19:04:34.082    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        55971 MB offset 119810048
19:04:34.098    Disk 0 scanning sectors +234438656
19:04:34.176    Disk 0 scanning C:\Windows\system32\drivers
19:04:48.466    Service scanning
19:05:14.284    Modules scanning
19:05:22.630    Disk 0 trace - called modules:
19:05:23.176    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
19:05:23.176    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b66288]
19:05:23.191    3 CLASSPNP.SYS[8891c8b3] -> nt!IofCallDriver -> [0x85f5a670]
19:05:23.207    5 acpi.sys[82e9d6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85a4d030]
19:05:23.956    AVAST engine scan C:\Windows
19:05:26.452    AVAST engine scan C:\Windows\system32
19:07:59.238    AVAST engine scan C:\Windows\system32\drivers
19:08:17.162    AVAST engine scan C:\Users\Herman
19:21:49.314    AVAST engine scan C:\ProgramData
19:25:37.885    Scan finished successfully
19:28:09.324    Disk 0 MBR has been saved successfully to "C:\Users\Herman\Desktop\MBR.dat"
19:28:09.340    The log file has been saved successfully to "C:\Users\Herman\Desktop\aswMBR.txt"



Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: ZBOT OUT
« Reply #18 on: August 08, 2012, 05:06:53 AM »
Looks pretty good so far.... 

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #19 on: August 08, 2012, 10:21:11 AM »
Thanks pondus for your link about the MAM clean, quarantaine, delete issue.

Jeffce, OTL scan #1: all users selected, with your "text" used.

Rebooted the computer.

OTL scan #2: all users selected. without your "text" used.

Log OTL scan #2: see attachment.



 

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35972
Re: ZBOT OUT
« Reply #20 on: August 08, 2012, 10:33:41 AM »
Quote
Thanks pondus for your link about the MAM clean, quarantaine, delete issue.
nex time dont hurry so much with deleting whats in there....as it can do no harm from quarantine
when you delete you have no option left and can not check if the file where wrongly detected....and i suspect they where in this case, as the file path and name indicate a factory installed toshiba program
« Last Edit: August 08, 2012, 10:37:07 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #21 on: August 08, 2012, 11:07:34 AM »
Pondus you're right, I know exactly what to do next time. Regards, Hermie

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35972
Re: ZBOT OUT
« Reply #22 on: August 08, 2012, 12:23:04 PM »
posted this in Malwarebytes forum, and they confirm it was a False Positive detection
so since you deleted from quarantine there is no way of restoring the files, meaning you must reinstall those files/programs to get them back.....if you need them


http://forums.malwarebytes.org/index.php?showtopic=113837

« Last Edit: August 08, 2012, 12:31:47 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: ZBOT OUT
« Reply #23 on: August 08, 2012, 01:49:09 PM »
Hi,

If your Malwarebytes logs are coming up clean now than I think you are good to go.  :)

Offline Hermie

  • Sr. Member
  • ****
  • Posts: 350
Re: ZBOT OUT
« Reply #24 on: August 08, 2012, 07:35:00 PM »
Hello pondus and jeffce thanks for your replies.
Falls positive by MAM, mmm, it happens so now and then, though it should not happen.
Computer still runs perfectly.
I wanna say thanks to all members who responded to this thread, you all did a great job, THANK YOU.
Guess I have to add RESOLVED to the subject? Plse advice, thanks.