Author Topic: win32:Zbot-mou (Read 25233 times)

mahatma · « **Reply #15 on:** January 26, 2010, 09:14:56 AM »

Hello there!
I have the same problem

C:\Windows\Temp\ppxi.tmp\svchost.exe

Win32:Zbot-MOU [Trj]

100125-2, 25/01/2010

but warning message from avast appears every 3 minutes ( not just when I start my laptop ), I tried Malwarebytes but it didn't hepl.
Any ideas?

Dee8to10 · « **Reply #16 on:** January 26, 2010, 04:08:42 PM »

Looks like five of us now then!
I slightly stupidly opened an e-mail attachment last night, from someone I know and who may well have sent me something called "surprise.exe" - somewhere around 64kb.
Since then I've had the same problems as the previous posters, win32:Zbot-MOU shows up every few minutes, plus occasionally get a Blocked attempt to contact a malicious site message.

Using Google Search, every time you click on a result Link you are redirected to some other site, usually shopping-related such as Ebay. If you copy the same result Link though, and open it in another window, then you get to the right site.

Every time it happens I get an empty folder with a random 4 letter prefix (e.g. txnp.tmp, aldg.tmp ) written to the C:WINDOWS\TEMP\ directory. Interestingly I also have an Avast Folder showing up in the same directory, and I'm interesting in finding out if this is a real Avast item, or created by the problem? This also shows up as an empty folder:
C:\WINDOWS\TEMP\_Avast_\Webshlock.txt

I have run an up to date version of Malwarebytes, no luck though.
Am using XP Pro., SP3, Firefox.

Hope someone finds a solution soon...........

essexboy · « **Reply #17 on:** January 26, 2010, 08:49:39 PM »

Gordo134 could you do the following please

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
Reg - Shell Spawning
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

diviesh · « **Reply #18 on:** January 26, 2010, 09:46:46 PM »

Hi think we can safely say 6 of us on this forum

My problem is exactly the same as Dee8to10, i have also tried everything i can think of and i'm an IT Support Tech so i would say that i can be quite thorough, but this one has really Schtumped me

I have run the scan and here is my OTS report

http://www.mediafire.com/?tmuzzz5zn32

I realy hope someone can help as this one is really bugging me
I'm using Windows7, ie8

essexboy · « **Reply #19 on:** January 26, 2010, 09:58:49 PM »

diviesh Does MBAM detect anything when run ?

diviesh · « **Reply #20 on:** January 26, 2010, 10:31:36 PM »

When i first run it, it detected four items

Log details listed below

Memory Modules Infected:
C:\Windows\Temp\8FA7.tmp (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe ihrv.kko jpcmqa) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Temp\8FA7.tmp (Backdoor.Bot) -> Delete on reboot.
C:\$Recycle.Bin\S-1-5-21-646173714-2939422159-1688960876-1000\$RBB0YSO.tmp\svchost.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Windows\System32\ihrv.kko (Backdoor.Bot) -> Quarantined and deleted successfully.

I have run it four more times since then,over the last two days and its found nothing

essexboy · « **Reply #21 on:** January 26, 2010, 10:37:44 PM »

Looking at that it appears to have killed it - but Avast is still alerting ?

If so

Download ComboFix from one of these locations: There will be a disclaimer about running on windows 7 but so far it has worked admirably

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.[/list]

diviesh · « **Reply #22 on:** January 26, 2010, 10:46:25 PM »

Hi thanks for your reply.

just to let you know for a bit of further info

in the c:\windows\temp, various folders keep getting created that end in .tmp, with a file named svhost.exe, which is what avast keeps picking up.

any way i'm just about to run combofix will post this shortly

diviesh · « **Reply #23 on:** January 26, 2010, 11:21:09 PM »

Hi Essexboy,

i have run combo fix, and the log can be found here

http://www.mediafire.com/?yjdvygmljaj

Avast on access hasn't started up automatically

essexboy · « **Reply #24 on:** January 26, 2010, 11:23:17 PM »

Is the icon in the tray ?

diviesh · « **Reply #25 on:** January 26, 2010, 11:32:13 PM »

it wasn't

i had to restart computer again to get it to start and it is working now

havn't had any warning for the past 10 mins am going to run some google search's now, as that is when the problem seems to appear i'll keep you informed.

and thanks for all you have done

essexboy · « **Reply #26 on:** January 26, 2010, 11:33:42 PM »

I believe that is one of the side effects of CF on 7 if it does not reboot some security programmes may stall

diviesh · « **Reply #27 on:** January 26, 2010, 11:52:48 PM »

I haven't had any warnings for a while which is ok.

But i'm not sure if this has cleared it, looking in the c:\windows\temp, their are still .tmp folders being created and some google web searches are still redirecting to shopping sites, although not as many, probably 1 in 6 as apposed to 3 out of 4

any more ideas?

essexboy · « **Reply #28 on:** January 27, 2010, 12:01:01 AM »

Are you using IE8 as default ?

I use this within IE8 and have my popup setter with 8 on as well http://simple-adblock.com/about/

EDIT: I have set IE to clear all temps on closing

Gordo134 · « **Reply #29 on:** January 28, 2010, 12:21:12 AM »

hey all , has anyone had any luck in removing this ? its still the same on my gf laptop

Author Topic: win32:Zbot-mou (Read 25233 times)

mahatma

Re: win32:Zbot-mou

Dee8to10

Re: win32:Zbot-mou

essexboy

Re: win32:Zbot-mou

diviesh

Re: win32:Zbot-mou

essexboy

Re: win32:Zbot-mou

diviesh

Re: win32:Zbot-mou

essexboy

Re: win32:Zbot-mou

diviesh

Re: win32:Zbot-mou

diviesh

Re: win32:Zbot-mou

essexboy

Re: win32:Zbot-mou

diviesh

Re: win32:Zbot-mou

essexboy

Re: win32:Zbot-mou

diviesh

Re: win32:Zbot-mou

essexboy

Re: win32:Zbot-mou

Gordo134

Re: win32:Zbot-mou