Jump to content
Sign in to follow this  
Deca

Backdoor.Bot[ZBot]

Recommended Posts

Hallo everybody,

I recently stated using SAS, en have encounterd a problem.

Every Scan i run, i keep bumping into the Backdoor.Bot[ZBot].

This is prooving to be a real pain in the ass...

I have fully updated the latest Definitions, but i cant find ant way to remove it.

Does anyone have any tips on how to (manually) remove this bugger.

Thanks in advance.

Ps. I see you usually ask for a log so i included it here (Without the Cookies)...

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 04/13/2011 at 09:41 AM

Application Version : 4.50.1002

Core Rules Database Version : 6824

Trace Rules Database Version: 4636

Scan type : Quick Scan

Total Scan Time : 00:12:28

Memory items scanned : 828

Memory threats detected : 0

Registry items scanned : 2784

Registry threats detected : 4

File items scanned : 8519

File threats detected : 41

Backdoor.Bot[ZBot]

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}

HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

Share this post


Link to post
Share on other sites

Backdoor.Bot[ZBot]

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}

HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

ZBot is a botnet infection!

Try running the Microsoft Malicious Software Removal Tool.

Please let me know the findings, and if we need to continue with alternate removal instructions...

Share this post


Link to post
Share on other sites

Hi

Download OTL from here: http://oldtimer.geekstogo.com/OTL.exe to your Dekstop.

Double click on the icon to run it select All users then under the Custom/scans fixes copy/paste the following:

netsvcs

drivers32

%SYSTEMDRIVE%\*.*

%systemroot%\Fonts\*.com

%systemroot%\Fonts\*.dll

%systemroot%\Fonts\*.ini

%systemroot%\Fonts\*.ini2

%systemroot%\Fonts\*.exe

%systemroot%\system32\spool\prtprocs\w32x86\*.*

%systemroot%\REPAIR\*.bak1

%systemroot%\REPAIR\*.ini

%systemroot%\system32\*.jpg

%systemroot%\*.jpg

%systemroot%\*.png

%systemroot%\*.scr

%systemroot%\*._sy

%APPDATA%\Adobe\Update\*.*

%ALLUSERSPROFILE%\Favorites\*.*

%APPDATA%\Microsoft\*.*

%PROGRAMFILES%\*.*

%APPDATA%\Update\*.*

%systemroot%\*. /mp /s

CREATERESTOREPOINT

%systemroot%\System32\config\*.sav

%PROGRAMFILES%\bak. /s

%systemroot%\system32\bak. /s

%ALLUSERSPROFILE%\Start Menu\*.lnk /x

%systemroot%\system32\config\systemprofile\*.dat /x

%systemroot%\*.config

%systemroot%\system32\*.db

%PROGRAMFILES%\Internet Explorer\*.dat

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x

%USERPROFILE%\Desktop\*.exe

%PROGRAMFILES%\Common Files\*.*

%systemroot%\*.src

%systemroot%\install\*.*

%systemroot%\system32\DLL\*.*

%systemroot%\system32\HelpFiles\*.*

%systemroot%\system32\rundll\*.*

%systemroot%\winn32\*.*

%systemroot%\Java\*.*

%systemroot%\system32\test\*.*

%systemroot%\system32\Rundll32\*.*

%systemroot%\AppPatch\Custom\*.*

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Now click Quick scan.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.

Post both logs in your reply.

Then

-Download aswMBR.exe from here: http://public.avast.com/~gmerek/aswMBR.exe and save it to your Dekstop

-Double click the aswMBR.exe to run it

-Click the "Scan" button to start scan

-On completion of the scan click save log, save it to your desktop and post in your next reply

Share this post


Link to post
Share on other sites

First of all thanks for the reply's,

Now, i used the Microsoft malicius removal tool... And it said it removed something, but actually did nothing, even after reboor etc.

Then i tried the scans with logs... There pretty big but here we go:

I attached them to the post, hope that works...

OTL.Txt

Extras.Txt

aswMBR.txt

Share this post


Link to post
Share on other sites

Hi,

First uninstall Spybot S&D via Add/Remove programs.

You can reinstall it back later if you want.

Then

-Download TDSSKiller from here: http://support.kaspersky.com/downloads/utils/tdsskiller.zip and save it to your Desktop.

-Extract its contents to your desktop.

-Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

-If an infected file is detected, the default action will be Cure, click on Continue.

-If a suspicious file is detected, the default action will be Skip, click on Continue.

-It may ask you to reboot the computer to complete the process. Click on Reboot Now.

-If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

-If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".

Copy and paste the contents of that file here.

Then run OTL again under Custom/Scans fixes paste in following:

:OTL
SRV - File not found [Auto | Stopped] --  -- (bhcgqjsb)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\.DEFAULT..\Run: [AMService]  File not found
O4 - HKU\S-1-5-18..\Run: [AMService]  File not found
O13 - gopher Prefix: missing
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
[2011/03/24 06:11:52 | 000,000,000 | -HSD | C] -- C:\Windows\yr8rthf
[2011/03/22 13:34:23 | 000,000,000 | ---D | C] -- C:\Users\GGZNML\AppData\Roaming\OfferBox
[2011/03/22 13:34:21 | 000,000,000 | ---D | C] -- C:\Program Files\OfferBox
[2011/03/22 13:34:09 | 000,000,000 | ---D | C] -- C:\Users\GGZNML\AppData\Roaming\CD63ECE973A556C4DB929A56E53EBC64
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:CB0AACC9

:Files
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

-Then click the Run Fix button at the top

-Let the program run unhindered, reboot the PC when it is done

-copy log you get

Then

Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe and save it to your Desktop.

-Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix see this page "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs": http://www.bleepingcomputer.com/forums/topic114351.html

-Close everything

-Double click on Combofix.exe and follow the prompts.

Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall

-When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

Ok here we go....

It wont let me atach the OTL file, so i pasted that in the reply...

All processes killed

========== OTL ==========

Service bhcgqjsb stopped successfully!

Service bhcgqjsb deleted successfully!

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\AMService deleted successfully.

Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\AMService not found.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully!

Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}

C:\Windows\Downloaded Program Files\gp.inf not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.

Folder move failed. C:\Windows\yr8rthf scheduled to be moved on reboot.

C:\Users\GGZNML\AppData\Roaming\OfferBox folder moved successfully.

C:\Program Files\OfferBox folder moved successfully.

C:\Users\GGZNML\AppData\Roaming\CD63ECE973A556C4DB929A56E53EBC64 folder moved successfully.

C:\Windows\System32\tmp.tmp deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCall.dll deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla.dll deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla17.dll deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla18.exe deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla19.dll deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla2.dll deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla20.dll deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla21.dll deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla21.exe deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseData.ini deleted successfully.

C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP folder deleted successfully.

ADS C:\ProgramData\Temp:CB0AACC9 deleted successfully.

========== FILES ==========

C:\Windows\Tasks\At1.job moved successfully.

C:\Windows\Tasks\At2.job moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: GGZNML

->Temp folder emptied: 109583784 bytes

->Temporary Internet Files folder emptied: 64570330 bytes

->Java cache emptied: 9755 bytes

->Flash cache emptied: 136501 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 13094445 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 179.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: GGZNML

->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04132011_154148

Files\Folders moved on Reboot...

Folder move failed. C:\Windows\yr8rthf scheduled to be moved on reboot.

File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DF4B957001FF27419A.TMP not found!

File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DF9A67DA2D5E477CC6.TMP not found!

File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DFA4EB6D028633AB53.TMP not found!

File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DFD5827E0706742842.TMP not found!

C:\Users\GGZNML\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U34SCEOO\index[3].htm moved successfully.

Registry entries deleted on Reboot...

Again thank you for helping me...

ComboFix.txt

TDSSKiller.2.4.21.0_13.04.2011_15.31.00_log.txt

Share this post


Link to post
Share on other sites

1. Open Notepad and copy and paste the text in the code box below into it:

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Save this as

CFScript

CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe

ComboFix will start again copy log you get

2.Please download MBRCheck.exe from here http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe and save it to your Desktop. Run the application.

-If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

-If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

3. -download Security Check from here: http://screen317.spywareinfoforum.org/SecurityCheck.exe and save it to your dekstop

-Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

-A Notepad document should open automatically called checkup.txt; post the contents of that document.

4. Update SAS and run quick scan ,post the log

5.Open OTL and click Quick scan post the log you get.

Share this post


Link to post
Share on other sites

Sorry for the late reaction... I have taken all the steps you mentioned, here are the logs.

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 04/14/2011 at 10:07 AM

Application Version : 4.50.1002

Core Rules Database Version : 6833

Trace Rules Database Version: 4645

Scan type : Quick Scan

Total Scan Time : 00:09:45

Memory items scanned : 739

Memory threats detected : 0

Registry items scanned : 2751

Registry threats detected : 4

File items scanned : 8620

File threats detected : 36

Adware.Tracking Cookie

(I removed the tracking coockies, i ddnt think these where necessary)

Backdoor.Bot[ZBot]

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}

HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}

Sadly SAS stil encounterd the Backdoor..., Beginning to think i'm doing something wrong..

OTL.Txt

MBRCheck_04.14.11_09.45.27.txt

ComboFix.txt

checkup.txt

Share this post


Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KIllAll::

Driver::
bhcgqjsb

NetSvc::
bhcgqjsb

Save this as

CFScript

Disable Antivirus

Close all browser windows and drag CFScript into ComboFix.exe

CFScriptB-4.gif

ComboFix will start again copy log you get

Are you experiencing any problems with the computer?

Share this post


Link to post
Share on other sites

Well i executed the last script also.... Here is the log-file...

Well when i fist got the notice that i have a virus, my pc was totally f*cked, pardon my french...

I got most of the shite off, but all the time i couldt remove the Backdoor.bot.

During this time, my internet was alot slower, iexplorer.exe kept freezing itself, strange websites poped-up

I must say that since we started it seen to have improved, but i'm afraid that if i leave it as it is, it will get worse and worse...

So long story short, right this moment the pc seems to be doing ok, i say ok because it still has its flaws, but then again it is running on microsoft windows, so yeah.. ;)

I'll run the SAS again to see if anything has changed...

ComboFix.txt

Share this post


Link to post
Share on other sites

Oooohhhhhh myyyy goooooooooddd.....

It's gone!!! You did it my man....

I cannot thank you enough for all you've done, you saved me from an awefull format C: haha....

I'm gonna try and back-track the steps now so i can try to find out what you did :)

You have my sincerest internet blessings hehe thank you...

So i gues this can be closed in a short while....

Share this post


Link to post
Share on other sites

Finally! :D

If you have any problems and questions let me know.

We have to remove the tools we used during the cleanup

Click START then RUN

Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Combofix_uninstall_image.jpg

After that open OTL and click CleanUp button.

This will remove most of the tools we used.If there is anything left just delete it

Your Java and Adobe reader are out of date remove them and then download new versions

It is very important to keep your programs and system updated.

Use firewall that is very important.

You had a Rootkit and you should change all of your passwords especially if you do any banking or other financial transactions

Share this post


Link to post
Share on other sites

I'll get on that right away.....

And again thank you so much, you've been a great help!!!

I'll be sure to spread the word ;)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...