Resolved: Troj/Zbot-LA >I think I'm still infected

[Nostrada]

Here are my symptoms --

1. Webroot said it was blocking attempts to connect to the Internet. The destinations included:

Flowgo.com
91.213.94.131
commonname.com
paypopup.com

2. I found sr882388 running as a process. Malwarebytes killed it.

3. Avast found and killed Trojan.Vubdo.H and adware-gen.

4. Road Runner briefly cut me off because of unwanted network traffic (it may have been spam or a DOS attack -- I don't remember).

5. Recent scans using SAS, Avast and Malwarebytes turn up nothing.

6. Each time I reconnect my computer to the Internet, someone tries to phone home. Typically it's to FLOWGO.COM.

All logs are attached. I'd appreciate some advice.

Many thanks,
Nos

 

[Bobbye]

Reply has been deleted for possible malware.

There were characters in my reply that I did not put in. Thus is the second post of mine that I've noticed irregularities. I am sending copy to site owner.

 

[Nostrada]

Next step . . .

I think I've removed everything you mentioned. New HJT log is attached.

NOTE:

On Dec 23rd, Avast's heuristic turned up C:\WINDOWS\SYSTEM32\DRIVERS\gpecv.sys, saying it was suspicious. It's still there, it's 688 Kb in size, and it always has the current date and time. I cannot read it, rename it or delete it. When I try to delete it using Windows Explorer, I get this error message:
Cannot delete gpecv: Cannot read from the source file or disk.

Many thanks for your help.

 

[Bobbye]

Something went wrong with my reply. I have sent copy to Julio.

Please reopen HijackThis to 'do system scan only.'. check the following entry if present:

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - (MyWebSearch spyware)

Close all Windows except HijackThis and click on "Fix Checked"

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Run Combo-Fix.exe and follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please attach the Combofix report and the Eset log to your next reply. One or both of these should show us what' on the system.

NOTE: I have checked this reply for content, syntax and spelling. It is displaying correctly at this time.

 

[Nostrada]

Combofix . . .

When ComboFix displayed "Preparing Log Report. Do not run any programs until ComboFix has finished." I unplugged the machine from the Internet.

A while later, I got an error message:
Windows - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

I clicked the Continue button.

Logs are attached.

Many thanks for your help.

 

[Bobbye]

There is definitely a problem- now to find where it is! There are no dates in the Eset log except for 2001, 2002 and 2004. These appears to have been infections in the Outlook Express store folders. I'd like you to delete the current Eset log entirely, the update and rescan with it, furnish a new log.
--------------------------------------
According to the current Eset log, you have been storing email that was infected with Viruses, Worms and Trojans. I can have you remove these store folders- OE will create new ones, but I'd like to see another log which hopefully will show current infections more clearly.
-------------------------------------
As for this:

When ComboFix displayed "Preparing Log Report. Do not run any programs until ComboFix has finished." I unplugged the machine from the Internet.

It appears that you may have interrupted Combofix before it had finished.
-----------------------------------

Please reopen HijackThis to 'do system scan onlt.' Check the following entries if present: Optional removals are in green.Please consider them.

Do you need to have this fax start on boot? If so, leave. If not, check for HJT to remove.
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R>> >>eFax Messenger from j2 Global Communications Europe.

Are you connecting remotely to your PC? If so, leave the following 2 entries. If you are not, check to have HJT remove:
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
(ExpertCity GoToMyPc logon - web-based remote-access solution that allows individuals and companies to register their computers online and then securely access those computers from any web browser)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [hpbdfawep] "C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" 1
O4 - HKLM\..\Run: [HP OfficeJet T Series] "C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet T Series\Install">> initializes the Office Jet manager each time the computer is booted up or rebooted
O4 - Startup: Microtek Scanner Finder.lnk = ?
O4 - Startup: NkvMon.exe.lnk = ?
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: eFax 4.3.lnk = ?
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - >> MWSearch spyware
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - >> web conferencing through Cisco WebEx

There are 2 of the following processes running. They are for a file indexing system on the OS. The process is known to be a very high resource user and we usually recommend stopping this:
C:\WINDOWS\system32\cidaemon.exe>> See Option 1
C:\WINDOWS\system32\cidaemon.exe

Option 1: From Microsoft:

* The current CPU utilization is high.
* The size of the pagefile may be as large as 1.2 GB or more.
* The Cidaemon.exe process uses lots of pagefile space and lots of CPU time.
The Cidaemon.exe process builds and updates the Index catalog. Additionally, the Cidaemon.exe process typically uses lots of pagefile space and lots of CPU time.
To resolve the issue, turn off the Indexing service. To turn off the Indexing service, follow these steps:

• 
  [1]. Double-click My Computer, point to Explorer Bar on the View menu, and then click Search.
  [2]. Click Change preferences, and then click Without Indexing Service.
  [3]. Click No, do not enable Indexing Service, and then click OK.

Close all Windows except HijackThis and click on "Fix Checked."

About s882388>> Troj/Zbot-LA communicates via HTTP with the following locations: IP 91.213.94.131. As I mentioned previously, this is for the Bogonet-net in Poland

Troj/Zbot-LA includes functionality to:
- copy iteslf to the folder
- run automatically
- create batch scripts
- access the internet and communicate with a remote server
via HTTP

For your own protection, I suggest you download Autoruns and Autorunsc: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
You can use the Command Prompt when you run the program to shows the results you want.

Notes from Combofix: you have some very old files still on the machine- files going back to 1999. you are advised to review these files and delete or uninstall any that are not currently needed. There are still entries from Symantec, dated 2003

It appears that you have given all your programs- including games, internet access to go through the firewall. This presents a vulnerability to you.

There is a lot here to digest. you may have handled some of it after my corrupted reply. I would like you to delete the current Eset log and the current Combofix log from your desktop. Then run each program again> provide new logs. Rescan with HJT and include new log.

 

[Nostrada]

Sorry I have been away

1. I believe I've cleaned out all the unneeded programs that had showed up in HJT. A new log is attached.

2. As far as I can tell, indexing is turned off: "My Computer" thinks it's off, and I don't see the processes in the Windows Task Manager.

3. I'm happy to delete any of my old email files if you think it will help to resolve this problem.

4. I am attaching an autorunsc log and a Process Explorer log and will uninstall whatever you think may help.

5. Once we've got this part settled down, I'll do the new HJT, ESET, and COMBOFIX.

Many thanks for your help!

 

[kritius]

Bobbye asked that I look at this,

Post a fresh ComboFix log

 

[Nostrada]

Thanks for your patience

Here's the ComboFix log. I see that it indicates a new file created in user "Iris." That's funny since no one uses that account. I could wipe the account if needed. Also, I thought I had gotten rid of several programs such as WebEx and Winamp toolbar. I'd happily take further steps to expunge them if you think it's indicated.

Many thanks for your help.

 

[Nostrada]

ComboFix log has been posted above. Is there any hope for me?

Thanks.

 

[kritius]

Sorry was ill for the past week. Will check it now, what symptoms do you still have?

 

[Nostrada]

Hope you are feeling better now!

Previous symptoms:
1. When connected to the Internet, some program tries to phone home to sites such as FLOWGO.COM. The attempt is intercepted by my Webroot software.
2. Roadrunner threatens to cut me off for bad behavior from my computer. I don't recall if it was spamming or DOS.

Current symptoms:
None. But that may be because the infected computer has been off the Internet for about 2 weeks.

Many thanks for your help.

 

[Nostrada]

How am I doing?

Here's a fresh ComboFix log. What do I do next?

Thanks,
Nostradamus

 

[Bobbye]

Please rescan with the Eset online scanner while waiting. Post the new log.

EDIT: Just an FYI for you. There are some very old files on the system:
2001-11-15 02:37 233742 ----a-w- c:\program files\mie.dat
2001-10-23 02:44 5222 ----a-w- c:\program files\set.ico
2001-07-05 03:23 135 ----a-w- c:\program files\g.gif
2001-07-05 03:23 150 ----a-w- c:\program files\b.gif
2001-07-05 03:23 119 ----a-w- c:\program files\u.gif
2001-07-05 03:23 143 ----a-w- c:\program files\w.gif
2001-01-27 16:28 151 ----a-w- c:\program files\r.gif
1999-04-23 22:22 12 --sha-w- c:\windows\SYSTEM\WININETICMP32.drv

You might want to check into these- remove any you aren't using.
.

 

[Nostrada]

ESET log

Here's the ESET log.

Thanks for your help.

 

[Bobbye]

Nostrada, I'm trying t work out a way to have you move the infected email the same way I'll move the other malware in the Eset log. But I'm not sure I can do it. It has to go and it can be removed. There are 3 identities, each with multiple infected store folders. I'm working on it!

 

[Nostrada]

Working on it

Bobbye --

I've deleted the Outlook Express files with the virus attachments. I'll run a new ESET and post the log.

Many thanks,
Nostrada

PS: If you want me to blow away any of the following users, just say so:

Iris
DMM
Eye of the Damned
Homework

 

[Bobbye]

Okay- did you delete the Store folders? It will be interesting to see the new Eset log! That was quite a job.

 

[Nostrada]

Outlook Express

For current Outlook Express folders, I tried to delete the infected messages.

For backup OE folders, I just deleted the folders.

The next ESET will tell us whether I was successful.

Thanks,
Nostrada

 

[Bobbye]

I'll be glad to check the Eset log whenever you're ready.

 

[Nostrada]

Following up . . .

Thanks for following up. The last ESET still found a few things in my email archives. I'll run it again tonight.

 

[Bobbye]

I think it's best to delete the entire dbx folder that has infected mail. Just be sure you remove anything in the folder you want to keep>> but a tip on this.> Setup A folder out of OE for any mail you plan to save. Then move to properly named matching folder. For example, if you save an email from send.dbx, set up a folder named sendmail, then move to that folder.

When you have finished, do a right click> scan with the AV on EACH separate folder with saved mail. Looking at contents in the dbx folders makes it clear that deleting a specific infected email for several years and getting it all is no easy job!

 

[Nostrada]

Yeah!

I think I've finally exterminated _that_ bunch of problems (baddies in my old mail folders). ESET log attached.

What's next?

Many thanks,
Nostrada

 

[Bobbye]

No, the infected folders are still there. you are really going to need to be more careful in handling your email and any attachments they may have. You store folders show just about every Worm, virus and Trojan you can get in email! Then you saved it, then you backed up some of it!

The only way you're going to cleanout the infected email to to delete ALL of the .dbx folders for ALL of the accounts involved. Some of that stuff is 9 years old- can't you get rid of it now?

As for the other entries in Eset: there is one new one, 2 that I'm going to have you remove by uninstalling Combofix, then we'regoing to try and cleanout the infected Recycler folder. This is the folder where deleted item go. It looks like the files were infected originally, then you backed them up! Oh my gooidness! And you also have infected restore points- so here we go:

1. Remove quarantined filed in Qoobox from Combofix:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

2. Clean up the System Restore Points:

You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

More details and screenshots for Disk Cleanup in Windows Vista can be found here.

3. Delete the Recycler Contents: Remember, these are already deleted files:
The SID for the infected identity is:
S-1-5-21-2246190073-3047704572-2931419171-1006
These are all files which show the .bak for 'backup' file extension> myself, I'd delete any files for this ID in the Recycler and not just the .bak.

You will have to show hidden files and folders, show file extensions, unhide protected operating system files as follows:
Control Panel> Folder Options> View tab> Hidden Files & Folders> Uncheck 'do not show hidden files & folders'> Check 'show hidden files and folders> Uncheck 'hide extensions for known file types'> Uncheck 'hide protected operating system files-Recommended'> Apply> OK

Using Windows Explorer (Windows key + E) click on My Computer> Local Drive (C)> Click on Recycler> double click your SID on the right screen to open> do a right click> Delete on each file> Close.

Go back and hide the files and folders

Now close Outlook Express. Go tot he dbx folders and delete the default folders I listed for you, plus any others you created yourself.

Empty the Recycle Bin

Check your email before you delete the folders. ALL of the emails in each at the time will be deleted. You have way too many infected emails to try and get them all.

4. To remove the one file from Eset:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files  
  Program Files\PestPatrol\Quarantine\20070407233801.zip
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

When you have finished this, I'd like you to run the Eset scan one more time and I would really like to get a clean scan back!

 

[Nostrada]

Eset

I think my latest ESET scan is at the end of the logfile. But I'll run a fresh one tonight to be sure.

Many thanks,
Nostrada