Zbot destroying two machines: (and < 1wk)

By oneWeek2Go
Sep 22, 2011
  1. Hello All,

    I think I have a ZbotG, along, with some other T-horse, infection (according to AVG) which are successively rendering my machines useless and have prevented me accessing the internet.
    I was following the "UPDATED 6-step iruses/Spyware/Malware Preliminary Removal Instructions" tutorial and had just got to step-3 when my only means of passing thing (dropbox between the infected machine a a clean one of my friend's when out of action.

    Now I've never been affected in a serious way by viruses, unlike many other people I know. I only a few weeks back I was shaking shaking my head at a friend for not having AV installed and bang here two ofmy machines are hit and I'm looking clever. WHat's more I am writing up for my PhD hesis for which the final deadline is next friday ( the 30th one week from) !!!
    Backgroud: approximatle 1.5 weeks ago my XP desktop machine went down with what AVG recognised as Zbot.G. A subsequent scan revealed it to be everywhere, having affected thousands of files. I've never experienced anything of the like. Quite impressive. It seemed that my system was being eaten from the inside out. Firefox was prevented from opening and for internet explorer I could use the web however, if is searched for somethings regarding anti-virus (Housecall scan, AVG manual update e.t.c.) the browser would act like it was off-line load a "this page cannot be displyed" page. For the timebeing this machine is being left alone until I have more time to look at it....
    Anyway, so here I am now with my XP laptop having just caught a case of the Zbot. I can't link the two infetions unless there has been a period of dormant waiting between the two. In any case I have not choice than to recover the laptop and for this beg someone for a solution. Just FYI I cannot use any web-browser (IE, Firefox, chrome) on this machine but luckily drop-box is allowing me to put things under the door so that, despite its captor, I can keep this machine alive. (UPDATE: ARRRH, SPOKE TOO SOON !!! Drop-box has not gone down along with a python-library)

    I am following the instriuctions in the thread titled "UPDATED 6-step iruses/Spyware/Malware Preliminary Removal Instructions"
    Step 1 (AV Scanning ) : My AVG was upto date (due to check tomorrow) and a scan with this 1633 infections of which 940 were removed+healed and 6963 were not.
    Step 2 (Malwarebytes) : from a complete install itentifyed and dealt with on instance of a nasty. The log of this scan is here: log was to be here nut now its stuck on the infected machine

    OK NOW I'M STUCK.I currently typing on a friend's netbook and I currently don't see any way to get the log results out of my infected machine to report here. Can anyoe suggest a way that won't put this last computer at risk?
    In much anticipation,

    p.s. just i lost connection with the infected machine's drop-box i was following step 3 in which dds.scr is used. Here I downloaded the file on a WIn7 machine, passed this to the XP one and needed to rename to dds,exe for it to run. A console window followed i which a message said not longer than 3 mins. I waited significantly longer than this on three occasions before deciding it had frozen and the machine required restarting.. .. so I was unable to get the log for this.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I think you would do much better if you used a flash drive to download the scanning programs and then connect to and ran the programs on the problem computer. Use a clean flash drive. IF there is any doubt> let me know and I'll give you instructions how to disinfect the flash drive

    I'm not sure just what you're doing using your friends machine. Is that the same friend you fussed at for not having an AV??
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    For Malwarebytes: Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. Once done, try running a scan again

    You can pass on GMER is you have to, but I need the 2 logs from DDS. If you also have trouble running DDS:
    Please download this file: xp_scr_fix

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr. It's the .scr file extension causing the problem.
    I'd also like you to run Combofix> It won't run with AVG so you will have to uninstall it temporarily:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avast Free Version
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

    Do what you can and leave the logs. I Can't do much until I see what's on the system. Important: if the internet connection is restored, let me know as I'd like you to run and online vitrus scan. The number of infected entries found is a matter of concern.

    NOTE: I help with one computer per thread. So decide which of the 2 systems this will be and start a new thread for the other with reference to this thread.
  3. oneWeek2Go

    oneWeek2Go TS Rookie Topic Starter

    HI Bobbye,

    I've finally got a flash drive. Could you please advise me on your method keeping it clean in between computer?

  4. oneWeek2Go

    oneWeek2Go TS Rookie Topic Starter

    Hi Bobbye,

    sorry to bug you but would it be possible for you to provide me with a method of cleaning a flash disk? I have one and am ready to go but want ensure I don't infect any clean PCs in doing so.....

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, you can use this;
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    Please get the scans done so I can check the logs.
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Per member will return and resume cleaning x 1week.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...