spyware.zbot infection

View previous topic View next topic Go down

spyware.zbot infection

Post by unisols on Tue Oct 06, 2009 7:55 am

hi,

pls help

have spyware.zbot detected by malwarebyte..am posting hjt and mbam logfile. infection is increasing at high rate.

Malwarebytes' Anti-Malware 1.41
Database version: 2912
Windows 5.1.2600 Service Pack 3

06-10-2009 01:01:28 PM
mbam-log-2009-10-06 (13-01-28).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|H:\|)
Objects scanned: 183934
Time elapsed: 37 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 44

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045815.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045816.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045817.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045818.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045819.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045820.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045821.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045822.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045823.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045824.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045829.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045830.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045831.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045832.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045833.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045834.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045835.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045836.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045837.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045840.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045841.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045842.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045843.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045844.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045845.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045846.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045851.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045852.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045853.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045854.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045856.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045857.DLL (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045858.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045859.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045860.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045861.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045862.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045863.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045871.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045879.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045880.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045884.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045885.dll (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{93325EB4-BA0D-4680-B6A9-1702BDC7A260}\RP63\A0045886.dll (Spyware.Zbot) -> Quarantined and deleted successfully.


===============================================================================

Logfile of HijackThis v1.99.1
Scan saved at 12:52:01 PM, on 06-10-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\eco1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
D:\temp.dat\ze softwares\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.33.1.60:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\eco1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Append Link Target to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\system32\LckFldService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

unisols
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-04-25
OS OS : XP
Points Points : 27844
# Likes # Likes : 0

View user profile

Back to top Go down

Re: spyware.zbot infection

Post by Belahzur on Tue Oct 06, 2009 6:51 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Still getting zbot from MBAM now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: spyware.zbot infection

Post by unisols on Wed Oct 07, 2009 4:20 am

yes problem is solved..thank you very much

-u

unisols
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-04-25
OS OS : XP
Points Points : 27844
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum