Deca Posted April 13, 2011 Hallo everybody, I recently stated using SAS, en have encounterd a problem. Every Scan i run, i keep bumping into the Backdoor.Bot[ZBot]. This is prooving to be a real pain in the ass... I have fully updated the latest Definitions, but i cant find ant way to remove it. Does anyone have any tips on how to (manually) remove this bugger. Thanks in advance. Ps. I see you usually ask for a log so i included it here (Without the Cookies)... SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 04/13/2011 at 09:41 AM Application Version : 4.50.1002 Core Rules Database Version : 6824 Trace Rules Database Version: 4636 Scan type : Quick Scan Total Scan Time : 00:12:28 Memory items scanned : 828 Memory threats detected : 0 Registry items scanned : 2784 Registry threats detected : 4 File items scanned : 8519 File threats detected : 41 Backdoor.Bot[ZBot] HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} Share this post Link to post Share on other sites
Anonymous Posted April 13, 2011 Backdoor.Bot[ZBot] HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} ZBot is a botnet infection! Try running the Microsoft Malicious Software Removal Tool. Please let me know the findings, and if we need to continue with alternate removal instructions... Share this post Link to post Share on other sites
rise Posted April 13, 2011 Hi Download OTL from here: http://oldtimer.geekstogo.com/OTL.exe to your Dekstop. Double click on the icon to run it select All users then under the Custom/scans fixes copy/paste the following: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\Fonts\*.com %systemroot%\Fonts\*.dll %systemroot%\Fonts\*.ini %systemroot%\Fonts\*.ini2 %systemroot%\Fonts\*.exe %systemroot%\system32\spool\prtprocs\w32x86\*.* %systemroot%\REPAIR\*.bak1 %systemroot%\REPAIR\*.ini %systemroot%\system32\*.jpg %systemroot%\*.jpg %systemroot%\*.png %systemroot%\*.scr %systemroot%\*._sy %APPDATA%\Adobe\Update\*.* %ALLUSERSPROFILE%\Favorites\*.* %APPDATA%\Microsoft\*.* %PROGRAMFILES%\*.* %APPDATA%\Update\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT %systemroot%\System32\config\*.sav %PROGRAMFILES%\bak. /s %systemroot%\system32\bak. /s %ALLUSERSPROFILE%\Start Menu\*.lnk /x %systemroot%\system32\config\systemprofile\*.dat /x %systemroot%\*.config %systemroot%\system32\*.db %PROGRAMFILES%\Internet Explorer\*.dat %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x %USERPROFILE%\Desktop\*.exe %PROGRAMFILES%\Common Files\*.* %systemroot%\*.src %systemroot%\install\*.* %systemroot%\system32\DLL\*.* %systemroot%\system32\HelpFiles\*.* %systemroot%\system32\rundll\*.* %systemroot%\winn32\*.* %systemroot%\Java\*.* %systemroot%\system32\test\*.* %systemroot%\system32\Rundll32\*.* %systemroot%\AppPatch\Custom\*.* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Now click Quick scan.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. Post both logs in your reply. Then -Download aswMBR.exe from here: http://public.avast.com/~gmerek/aswMBR.exe and save it to your Dekstop -Double click the aswMBR.exe to run it -Click the "Scan" button to start scan -On completion of the scan click save log, save it to your desktop and post in your next reply Share this post Link to post Share on other sites
Deca Posted April 13, 2011 First of all thanks for the reply's, Now, i used the Microsoft malicius removal tool... And it said it removed something, but actually did nothing, even after reboor etc. Then i tried the scans with logs... There pretty big but here we go: I attached them to the post, hope that works... OTL.Txt Extras.Txt aswMBR.txt Share this post Link to post Share on other sites
rise Posted April 13, 2011 Hi, First uninstall Spybot S&D via Add/Remove programs. You can reinstall it back later if you want. Then -Download TDSSKiller from here: http://support.kaspersky.com/downloads/utils/tdsskiller.zip and save it to your Desktop. -Extract its contents to your desktop. -Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan. -If an infected file is detected, the default action will be Cure, click on Continue. -If a suspicious file is detected, the default action will be Skip, click on Continue. -It may ask you to reboot the computer to complete the process. Click on Reboot Now. -If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here. -If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Copy and paste the contents of that file here. Then run OTL again under Custom/Scans fixes paste in following: :OTL SRV - File not found [Auto | Stopped] -- -- (bhcgqjsb) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4 - HKU\.DEFAULT..\Run: [AMService] File not found O4 - HKU\S-1-5-18..\Run: [AMService] File not found O13 - gopher Prefix: missing O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found. O34 - HKLM BootExecute: (autocheck autochk *) - File not found [2011/03/24 06:11:52 | 000,000,000 | -HSD | C] -- C:\Windows\yr8rthf [2011/03/22 13:34:23 | 000,000,000 | ---D | C] -- C:\Users\GGZNML\AppData\Roaming\OfferBox [2011/03/22 13:34:21 | 000,000,000 | ---D | C] -- C:\Program Files\OfferBox [2011/03/22 13:34:09 | 000,000,000 | ---D | C] -- C:\Users\GGZNML\AppData\Roaming\CD63ECE973A556C4DB929A56E53EBC64 [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ] [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ] @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:CB0AACC9 :Files C:\Windows\Tasks\At1.job C:\Windows\Tasks\At2.job :Commands [purity] [emptytemp] [EMPTYFLASH] [Reboot] -Then click the Run Fix button at the top -Let the program run unhindered, reboot the PC when it is done -copy log you get Then Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe and save it to your Desktop. -Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix see this page "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs": http://www.bleepingcomputer.com/forums/topic114351.html -Close everything -Double click on Combofix.exe and follow the prompts. Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall -When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Share this post Link to post Share on other sites
Deca Posted April 13, 2011 Ok here we go.... It wont let me atach the OTL file, so i pasted that in the reply... All processes killed ========== OTL ========== Service bhcgqjsb stopped successfully! Service bhcgqjsb deleted successfully! Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully. Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\AMService deleted successfully. Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\AMService not found. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\\gopher|:gopher:// /E : value set successfully! Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7} C:\Windows\Downloaded Program Files\gp.inf not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found. Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully. Folder move failed. C:\Windows\yr8rthf scheduled to be moved on reboot. C:\Users\GGZNML\AppData\Roaming\OfferBox folder moved successfully. C:\Program Files\OfferBox folder moved successfully. C:\Users\GGZNML\AppData\Roaming\CD63ECE973A556C4DB929A56E53EBC64 folder moved successfully. C:\Windows\System32\tmp.tmp deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCall.dll deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla.dll deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla17.dll deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla18.exe deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla19.dll deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla2.dll deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla20.dll deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla21.dll deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseCustomCalla21.exe deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP\WiseData.ini deleted successfully. C:\Windows\41EBC322660F4D16A0DF53147210CBDB.TMP folder deleted successfully. ADS C:\ProgramData\Temp:CB0AACC9 deleted successfully. ========== FILES ========== C:\Windows\Tasks\At1.job moved successfully. C:\Windows\Tasks\At2.job moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: GGZNML ->Temp folder emptied: 109583784 bytes ->Temporary Internet Files folder emptied: 64570330 bytes ->Java cache emptied: 9755 bytes ->Flash cache emptied: 136501 bytes User: Public %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 13094445 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 179.00 mb [EMPTYFLASH] User: All Users User: Default User: Default User User: GGZNML ->Flash cache emptied: 0 bytes User: Public Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.22.3 log created on 04132011_154148 Files\Folders moved on Reboot... Folder move failed. C:\Windows\yr8rthf scheduled to be moved on reboot. File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DF4B957001FF27419A.TMP not found! File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DF9A67DA2D5E477CC6.TMP not found! File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DFA4EB6D028633AB53.TMP not found! File\Folder C:\Users\GGZNML\AppData\Local\Temp\~DFD5827E0706742842.TMP not found! C:\Users\GGZNML\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U34SCEOO\index[3].htm moved successfully. Registry entries deleted on Reboot... Again thank you for helping me... ComboFix.txt TDSSKiller.2.4.21.0_13.04.2011_15.31.00_log.txt Share this post Link to post Share on other sites
rise Posted April 13, 2011 1. Open Notepad and copy and paste the text in the code box below into it: RegLock:: [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] Save this as CFScript Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe ComboFix will start again copy log you get 2.Please download MBRCheck.exe from here http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe and save it to your Desktop. Run the application. -If no infection is found, it will produce a report on the desktop. Post that report in your next reply. -If an infection is found, you will be presented with the following dialog: Enter 'Y' and hit ENTER for more options, or 'N' to exit: Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply. 3. -download Security Check from here: http://screen317.spywareinfoforum.org/SecurityCheck.exe and save it to your dekstop -Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. -A Notepad document should open automatically called checkup.txt; post the contents of that document. 4. Update SAS and run quick scan ,post the log 5.Open OTL and click Quick scan post the log you get. Share this post Link to post Share on other sites
Deca Posted April 14, 2011 Sorry for the late reaction... I have taken all the steps you mentioned, here are the logs. SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 04/14/2011 at 10:07 AM Application Version : 4.50.1002 Core Rules Database Version : 6833 Trace Rules Database Version: 4645 Scan type : Quick Scan Total Scan Time : 00:09:45 Memory items scanned : 739 Memory threats detected : 0 Registry items scanned : 2751 Registry threats detected : 4 File items scanned : 8620 File threats detected : 36 Adware.Tracking Cookie (I removed the tracking coockies, i ddnt think these where necessary) Backdoor.Bot[ZBot] HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} Sadly SAS stil encounterd the Backdoor..., Beginning to think i'm doing something wrong.. OTL.Txt MBRCheck_04.14.11_09.45.27.txt ComboFix.txt checkup.txt Share this post Link to post Share on other sites
rise Posted April 14, 2011 Open Notepad and copy and paste the text in the code box below into it: KIllAll:: Driver:: bhcgqjsb NetSvc:: bhcgqjsb Save this as CFScript Disable Antivirus Close all browser windows and drag CFScript into ComboFix.exe ComboFix will start again copy log you get Are you experiencing any problems with the computer? Share this post Link to post Share on other sites
Deca Posted April 14, 2011 Well i executed the last script also.... Here is the log-file... Well when i fist got the notice that i have a virus, my pc was totally f*cked, pardon my french... I got most of the shite off, but all the time i couldt remove the Backdoor.bot. During this time, my internet was alot slower, iexplorer.exe kept freezing itself, strange websites poped-up I must say that since we started it seen to have improved, but i'm afraid that if i leave it as it is, it will get worse and worse... So long story short, right this moment the pc seems to be doing ok, i say ok because it still has its flaws, but then again it is running on microsoft windows, so yeah.. I'll run the SAS again to see if anything has changed... ComboFix.txt Share this post Link to post Share on other sites
Deca Posted April 14, 2011 Oooohhhhhh myyyy goooooooooddd..... It's gone!!! You did it my man.... I cannot thank you enough for all you've done, you saved me from an awefull format C: haha.... I'm gonna try and back-track the steps now so i can try to find out what you did You have my sincerest internet blessings hehe thank you... So i gues this can be closed in a short while.... Share this post Link to post Share on other sites
rise Posted April 14, 2011 Finally! If you have any problems and questions let me know. We have to remove the tools we used during the cleanup Click START then RUN Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there. After that open OTL and click CleanUp button. This will remove most of the tools we used.If there is anything left just delete it Your Java and Adobe reader are out of date remove them and then download new versions It is very important to keep your programs and system updated. Use firewall that is very important. You had a Rootkit and you should change all of your passwords especially if you do any banking or other financial transactions Share this post Link to post Share on other sites
Deca Posted April 14, 2011 I'll get on that right away..... And again thank you so much, you've been a great help!!! I'll be sure to spread the word Share this post Link to post Share on other sites