TechSpot

Help required - Win32/Zbot & Cryptic.BGF removal

By andrewib
Dec 4, 2011
  1. Hello,

    For past two days Avg has detected the above two infections the majority are Win32/Zbot. They are removed but more keep returning.

    I am now scanning with malwarebytes and mid-scan its has 182 infections!

    Any sugsgestions/advice?

    Many Thanks
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    Before I have you run our preliminary scans, please run the following and paste the log into your next reply:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    Since you are running Malwarebytes now, please leave that log in your next reply along with the Eset log.
    =================================
    When you have finished the above, please follow the additional steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. andrewib

    andrewib TS Rookie Topic Starter

    Scan Logs

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8298

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 9.0.8112.16421

    04/12/2011 21:31:20
    mbam-log-2011-12-04 (21-31-20).txt

    Scan type: Quick scan
    Objects scanned: 174229
    Time elapsed: 13 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    C:\Program Files\Google\Google Earth\client\googleearth_free.dll Win32/Ramnit.H virus
    C:\Program Files\Google\Google Earth\plugin\googleearth_free.dll Win32/Ramnit.H virus
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-68528024 Java/TrojanDownloader.Agent.NBL trojan
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\21959da-7c396713 multiple threats
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4934abef-5783152c a variant of Java/TrojanDownloader.Agent.NAC trojan
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\75429a70-1fc09d7a Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-705cf468 Java/TrojanDownloader.Agent.NBL trojan
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\42441975-67bb1e3c Java/TrojanDownloader.Agent.NBM trojan
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\4186f476-33677155 Java/Agent.DW trojan
    C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\1f62c23a-7e9f6080 Java/TrojanDownloader.Agent.NBM trojan
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I thought for sure I replied to this last night!

    This is not good:
    C:\Program Files\Google\Google Earth\client\googleearth_free.dll Win32/Ramnit.H virus
    C:\Program Files\Google\Google Earth\plugin\googleearth_free.dll Win32/Ramnit.H virus

    Since nothing showed up in Mbam, I'll check further. Ramnit is a file infector that cannot be cleaned. I will give you more details after I see the results from the following- it is most unusual not to have found any entries in Mbam:
    ====================================
    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org free on-line scan service
    • Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:

      c:\windows\system32\userinit.exe

      c:\windows\explorer.exe

      c:\window\system32\svchost.exe


    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
     
  5. andrewib

    andrewib TS Rookie Topic Starter

    Hello,

    i am having trouble with this request.

    Firstly it will not let me copy the file straight into the box, I have to click on browse and then copy it.

    Secondly when i copied the 3rd file it did not recognise the path.

    And Finally i clicked on clipboard and nothing seemed to happen?

    The first two files came back with no malware, it may also be worth noting that AVG for the first time in two days has not reported any infected files!

    Thanks
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The instructions gives you the option of browsing to the file.
    Of these 3
    c:\windows\system32\userinit.exe
    c:\windows\explorer.exe
    c:\window\system32\svchost.exe


    You're telling me that svchost.exe gave a wrong path error? Did you copy this or browse to it? "Secondly when i copied the 3rd file it did not recognise the path."

    Try browsing to it. This is best because then you just click on the file- no chance of a wrong entry- even a dot in the wrong place will invalidate the entry.
    -------------------------------------------------
    For this:
    Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    * Paste the contents of the Clipboard in your next reply.

    When you copy to the clipboard, you won't see anything because the clipboard doesn't show. But if, after you click on 'copy to clipboard' then come back here and do a Ctrl + V, the contents of the clipboard will be pasted in the reply.

    It just a copy and paste function- noting more. Please try it again.
    ========================================
    I'd like to get on track> if your have Ramnit malware, the longer it's on the system, the more file will be infected. Let remove the Eset entries:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Program Files\Google\Google Earth\client\googleearth_free.dll 
      C:\Program Files\Google\Google Earth\plugin\googleearth_free.dll 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7bb99554-68528024 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\21959da-7c396713 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4934abef-5783152c 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\75429a70-1fc09d7a 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-705cf468 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\42441975-67bb1e3c 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\54\4186f476-33677155 
      C:\Users\Andrew\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\1f62c23a-7e9f6080 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===================================
    You will need to clear the Java cache. I suspect you have one or more outdated Java programs on the system. This always puts malware in the cache:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =========================================
    Please go back to my Reply #2>>
    Run the Eset scan
    Run the DDS scan (2 logs)
    Run the GMER scan

    You do not need to run Mbam again at this time.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...