HI Broni,
I am running AVG internet security 9.0 it said the pc had been infected with Win32/Zbot.G I run a scan it came up with about 3000 hits I healed and removed now some of my programs dont work. When I next rebooted it came up with a Trojan horse Hider.MPR I healed and removed that then rebooted again because Avg requested it.
Still infected with Win32/Zbot.g which is getting flashed up by avg in multiple progams.
When im on the web my browser seems to be being blocked from some sites and links and comes up with the page unable to connect. AVG is not telling me that it is being blocked.
I have created the first two logs that were requested in the Malware Preliminary Removal Instructions and i wil paste below but as stated in my last post I cannot download DSS.
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7441
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/12/2011 1:38:45 PM
mbam-log-2011-08-12 (13-38-45).txt
Scan type: Quick scan
Objects scanned: 188934
Time elapsed: 6 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 2
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\warren\Local Settings\Application Data\kns.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\batfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
Folders Infected:
c:\winntse.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$ (Adware.AdRotator) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\warren\local settings\Temp\5B.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.0019741789253070463.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.2576175544457461.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.3969011693919371.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\warren\local settings\Temp\0.8921977589799155.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\winntse.bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\WINDOWS\$xntuninstall643$\zrpt.xml (Adware.AdRotator) -> Quarantined and deleted successfully.
GMER 1.0.15.15641 -
http://www.gmer.net
Rootkit quick scan 2011-08-12 16:46:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000072 WDC_WD5000AAKS-00YGA0 rev.12.01C02
Running: gmer.exe; Driver: C:\DOCUME~1\warren\LOCALS~1\Temp\agaoykod.sys
---- System - GMER 1.0.15 ----
SSDT spxc.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spxc.sys ZwEnumerateValueKey [0xB7ECE132]
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdePort0 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B7E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\JRAID \Device\Scsi\JRAID1 8B6061F8
Device \FileSystem\Ntfs \Ntfs 8B6051F8
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \FileSystem\Fastfat \Fat 8A046500
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
As im writing this post AVG has just flashed up a Trojan Horse Cryptic.CWX with multiple hits for Win32/Zbot.G
Many thanks hope you can help Warren