win32:Zbot-mou

[essexboy]

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[diviesh]

Hi Eessexboy, Problem still exists, Avast is still alerting win32:Zbot-mou in c:\windows\temp\ xxxx.tmp\svhost.exe

yesterday it looked like it improved but its back again in full force today.

Any other thoughts??

[Magixz]

Exact same problem as the other people here.. I can make a new thread if you wish

But here is my OTS log, hope this helps. http://www.mediafire.com/?3dny2zadoml
I appreciate the help.

[essexboy]

OK lets look deeper diviesh

Download avz4.zip from

here
[list=1] 

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again


[list=1]   

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

[list=1]   

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to  Mediafire and post the sharing link.


Magixz I will start a new thread with your name

[diviesh]

hi essexboy, running this now will post results tomorrow

[essexboy]

OK 

[diviesh]

hi essexboy

here are the logs as requested

http://www.mediafire.com/?znmvjnezdmd

and

http://www.mediafire.com/?mtdujznyomy

thanks

diviesh

[essexboy]

A few naughty ones there although they appear inactive

AVZ FIX

• Double click on AVZ.exe
• Click File > Custom scripts
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

Code: [Select]

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
 BC_DeleteFile('C:\Windows\system32\Drivers\ute3mjc4.sys');
 DeleteFile('C:\Windows\system32\Drivers\ute3mjc4.sys');
 BC_DeleteFile('C:\Windows.old\Windows\System32\gpapi.dll');
 DeleteFile('C:\Windows.old\Windows\System32\gpapi.dll');
 BC_DeleteFile('H:\autorun.inf');
 DeleteFile('H:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

• Note: When you run the script, your PC will be restarted
• Click Run
• Restart your PC if it doesn't do it automatically.

ON COMPLETION

Re-run OTS please  and post the log

[cakedoer2]

Have you tried MBAM's full scan option? That might find more infected files. Also, you can try scheduling a boot-time scan with avast! if you're running a 32-bit OS.

[diviesh]

hi essexboy, i have run the avz fix, and re-run ots log file can be found http://www.mediafire.com/?g1ngdizdnwn

I am still having search links being redirected

cakedoer2, i have run full MBAM, and nothing further is bein detected

[essexboy]

Mediafire is running a tad slow at the moment - but I have had some more experience with this beastie now and I getting a feel for it's quirks..  Back when I have got the log

[essexboy]

Mediafire has now gone down 

Looking at the size it is small enough to attach in a post - could you do that please

The attachment is under additional options when you add a reply

[essexboy]

Got it - will need to check one file out - but first

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> Reg Error: Key error. []
[Files/Folders - Modified Within 30 Days]
NY ->  vde3mjc4.sys -> C:\Windows\System32\drivers\vde3mjc4.sys
NY ->  uze3mjc4.sys -> C:\Windows\System32\drivers\uze3mjc4.sys
NY ->  32 C:\Users\diviesh\AppData\Local\temp\*.tmp files -> C:\Users\diviesh\AppData\Local\temp\*.tmp
NY ->  1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp
NY ->  1 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

Then re-run OTS with the following custom scan


/md5start
wmiadap.exe
/md5stop

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[diviesh]

heres the log from the fix

[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\System32\drivers\vde3mjc4.sys moved successfully.
C:\Windows\System32\drivers\uze3mjc4.sys moved successfully.
C:\Users\diviesh\AppData\Local\temp\DMI734B.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\DMIC1A9.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR1238.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR12C5.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR5B87.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR5C33.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6C68.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6CB6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6CC6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR6CE6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR7EB7.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR834A.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR9DC4.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MAR9DF4.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA073.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA1AC.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA533.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA6E9.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARA7B.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARB27.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARBD2.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARBF2.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARD7C.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARDBB.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARE1C6.tmp deleted successfully.
C:\Users\diviesh\AppData\Local\temp\MARE1D7.tmp deleted successfully.
File delete failed. C:\Users\diviesh\AppData\Local\temp\~DF0B35508D1E2D24FD.TMP scheduled to be deleted on reboot.
C:\Users\diviesh\AppData\Local\temp\~DF23E17A0E3B5DC8D7.TMP deleted successfully.
File delete failed. C:\Users\diviesh\AppData\Local\temp\~DF35F78904EE20F309.TMP scheduled to be deleted on reboot.
C:\Users\diviesh\AppData\Local\temp\~DF50169A89D6EDC4F4.TMP deleted successfully.
File delete failed. C:\Users\diviesh\AppData\Local\temp\~DF6114117440A94FE6.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\diviesh\AppData\Local\temp\~DF887531FA8C4BE74F.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\diviesh\AppData\Local\temp\~DF8D4E6CEB5A335B30.TMP scheduled to be deleted on reboot.
File delete failed. C:\Users\diviesh\AppData\Local\temp\~DFB38FC80F88D6B0C8.TMP scheduled to be deleted on reboot.
C:\ProgramData\00f3c594.tmp deleted successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.19.5 fix logfile created on 01312010_202644

Files\Folders moved on Reboot...
File\Folder C:\Users\diviesh\AppData\Local\temp\~DF0B35508D1E2D24FD.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp\~DF35F78904EE20F309.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp\~DF6114117440A94FE6.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp\~DF887531FA8C4BE74F.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp\~DF8D4E6CEB5A335B30.TMP not found!
File\Folder C:\Users\diviesh\AppData\Local\temp\~DFB38FC80F88D6B0C8.TMP not found!

Registry entries deleted on Reboot...

[diviesh]

Mediafire appears to ok now

heres the link to the ots 3rd log

http://www.mediafire.com/?rnnj52m5qy2