Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32/Zbot.E & VBS/Generic Virus??

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32/Zbot.E & VBS/Generic Virus??

Unread postby Jon14 » October 26th, 2010, 4:59 pm

So I start up the computer today and an AVG-Antivirus window keeps popping up telling me that a bunch of files are infected. Problem is that these are core windows files that are essential to the computer and other files that are most likely not infected as well. The window comes up very often and I have a strong feeling there is a virus disguising itself pretty good in my computer. MBAM didn't catch it and AVG was even worse. Some programs couldn't be opened as well, and everything is going extremely slower than normal. Anyways, here are the HiJackThis logs:

Code: Select all
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:50:34 PM, on 10/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ontarioweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{c95a4e8e-816d-4655-8c79-d736da1adb6d} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot0.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot0.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1207669975140
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13964 bytes




Code: Select all
UNINSTALL LIST
___________________________


32 Bit HP CIO Components Installer
7-Zip 4.65
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop 7.0
Adobe Reader 8.1.3
Adobe Shockwave Player
AnalogX Vocal Remover (WinAmp)
Applian Director
archos705
AsfTools 3.1 (remove only)
ASIO4ALL
Attansic Giga Ethernet Utility
Audacity 1.2.6
Audacity Recovery Utility
AVG Anti-Rootkit Free
AVG Free 8.5
Camtasia Studio 5
CCleaner (remove only)
Collab
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DH Driver Cleaner Professional Edition
DivX Player
DivX Web Player
D-Link DWA-552 Xtreme N Desktop Adapter
DriverGuide DriverScan
DVD Shrink 3.2
DVD Suite
FileASSASSIN
FL Studio 8
FlashCapture v1.9.0.959
FLV to AVI MPEG WMV 3GP MP4 iPod Converter 3.9.1120
FlvRecorder
Fraps (remove only)
GetDataBack for FAT
GetDataBack for NTFS
getPlus(R)
GetRight
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Hotspot Shield 1.52
Hotspot_Shield Toolbar
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart C4400 All-In-One Driver Software 10.0 Rel .3
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
IL Download Manager
Intel(R) Graphics Media Accelerator Driver
Itiva Media Accelerator
iTunes
Java(TM) 6 Update 19
Kaspersky Online Scanner
LAME v3.98.2 for Audacity
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
MediaRescue Pro
MediaRescue Pro 4.5
Megaupload Toolbar
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MorphVOX Pro
Moyea FLV to Video Converter Pro 2 version: 2.0.7.15
Mozilla Firefox (2.0)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
My Screen Recorder 2.65
Nero 7 Essentials
NetXfer 2.70.428
NHL 2000
NHL® 2003
Nokia Connectivity Cable Driver
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
OCR Software by I.R.I.S. 10.0
OpenAL
Panda ActiveScan 2.0
PeerGuardian 2.0
PowerDVD
PowerProducer
Project64 1.6
Quick Screen Capture 3.0
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Recovery for Photoshop
Registry Mechanic 8.0
Replay AV 8
Replay Converter 2.8
Replay Media Catcher
Replay Media Catcher
Replay Media Catcher 3.0
Replay Media Catcher 3.01
Replay Media Catcher 3.02
Replay Media Catcher 4
Replay Video Capture
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Encoder (KB979332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Shop for HP Supplies
Sony Vegas Pro 8.0
SopCast 1.1.2
SpeedFan (remove only)
Spyware Doctor 6.1
SUPER © Version 2008.bld.32 (July 8, 2008)
SurfOffline (remove only)
Swiff Player 1.1
Swiff Saver 2.2
Symantec Technical Support Web Controls
System Requirements Lab
The MDickie Show (Demo)
TVUPlayer 2.4.5.3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
URL Snooper v2.22.01
VIA Register Tool
Viewpoint Media Player
Virtual DJ - Atomix Productions
Winamp
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows Resource Kit Tools
WinPcap 4.1 beta4
WinRAR archiver
WM Downloader  3.0.0.9 2008.11.20
WM Recorder
WM Recorder 12.1
Worms2
XMLFox Professional
YouSendIt Application Plug-in SDK


Thanks for any help.
Jon14
Regular Member
 
Posts: 35
Joined: April 22nd, 2010, 1:28 pm
Advertisement
Register to Remove

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » October 29th, 2010, 3:55 am

Looking over your log, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » October 29th, 2010, 3:58 am

I'd like you to check a file for Viruses.
c:\program files\microsoft\desktoplayer.exe

  • Copy/Paste the filepath in the quote box above into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Post me the details please.

Next


Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on: Image
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply please.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Jon14 » October 30th, 2010, 12:33 am

Thanks for the response. For the first step though, I uploaded the file to the site and it returned to the original page after uploading. It keeps doing this when I upload that file, so I', not sure if that's the site's fault or whatever, but if there's another site like that or another way to do this, let me know.

And in terms of the second step, the scan is currently at 66% and almost 11 hours into it! I will post the log when it's done or after we solve that first problem. The scan has currently found 44 problems though so that's good news.
Jon14
Regular Member
 
Posts: 35
Joined: April 22nd, 2010, 1:28 pm

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » October 30th, 2010, 1:06 am

Did you have the same problems scanning the file at both VirusTotal AND Jotti's ???

http://www.virustotal.com/

http://virusscan.jotti.org/en-gb

If so, just miss out that part of the instructions and post me the e-set log when it finishes the scan.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Jon14 » October 30th, 2010, 10:59 am

I had forgotton that there was a second site, but when I try that one I get this message: File is empty (0 bytes)!

What shoul I do with this file?

And here are the results for the log:

Code: Select all
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=7b64a12d3fc52f43a4568d962a9fda98
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-10-30 04:39:07
# local_time=2010-10-30 12:39:07 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 69356742 69356742 0 0
# compatibility_mode=1024 16777175 100 0 69375520 69375520 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=306703
# found=45
# cleaned=0
# scan_time=40039
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\10\653a8b4a-12d4895d	probably a variant of Win32/Agent.FPEXZHL trojan	00000000000000000000000000000000	I
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\12\2dd3f28c-7c31335e	multiple threats	00000000000000000000000000000000	I
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\2\63ff10c2-17458b4d	a variant of Java/TrojanDownloader.OpenStream.NAU trojan	00000000000000000000000000000000	I
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\35\41e8aee3-3ec086db	probably a variant of Win32/Agent.HRYTTOE trojan	00000000000000000000000000000000	I
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\48\4084a7b0-14f424cd	multiple threats	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\26_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\29_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\41_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\42_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\45_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\46_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\49_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\50_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\58_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\59_tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\bubble_general.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\Facebook_error.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\Facebook_notifier.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\Facebook_status.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\rssreader_simple.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_dangerous.html	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_questionable.html	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_risky.html	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_safe.html	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_unknown.html	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\ssb_waiting.html	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared\chrome\content\html\weather_error.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\bubble_general.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\deletehistory_processing.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\rssreader_advanced.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\rssreader_config.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\rssreader_simple.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\settings_askdialog.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\settings_checkboxdialog.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\tabswelcome_ie7footer.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\tabswelcome_ie7header.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\toolbarprotector_window.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\AVG\AVG8\Toolbar.old\Firefox\avg@igeared\chrome\content\html\updater_processing.htm	Win32/Ramnit.A virus	00000000000000000000000000000000	I
C:\Program Files\Hotspot Shield\bin\openvpnas.exe	a variant of Win32/HotSpotShield application	00000000000000000000000000000000	I
C:\Program Files\Phone Call Recorder\Plugins\networking.msplg	Win32/ModemSpy.A application	00000000000000000000000000000000	I
C:\Program Files\Phone Call Recorder\Plugins\vdialtone.msplg	Win32/ModemSpy.A application	00000000000000000000000000000000	I
C:\WINDOWS\system32\config\systemprofile\Templates\memory.tmp	a variant of Win32/Bamital.EO trojan	00000000000000000000000000000000	I
C:\WINDOWS\temp\hss_update.exe	a variant of Win32/HotSpotShield application	00000000000000000000000000000000	I
${Memory}	a variant of Win32/HotSpotShield application	00000000000000000000000000000000	I
Jon14
Regular Member
 
Posts: 35
Joined: April 22nd, 2010, 1:28 pm

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » October 30th, 2010, 12:51 pm

I'm afraid I have bad news for you.

Your computer is infected with Win32/Ramnit.A ........ http://www.microsoft.com/security/porta ... 2FRamnit.A ...... http://www.threatexpert.com/report.aspx ... 975182c819 ....... I suspected that would be the case when I asked you to scan that file at VirusTotal or Jottis.

This is a file infector virus which given time will infect every html and exe file on your computer, including system files. File infectors are notoriously difficult to remove, they are polymorphic and polyencrypted and it is practically impossible to remove them from your computer without causing more problems than we resolve.

The only realistic course of action that is open to you is to back up your non-executable personal files and folders (using a DVD-R or CD-R) then re-format your hard drive and re-install Windows. If you have connected any external drives to your computer (USB or flash drives) then they should also be re-formatted.

Because Ramnit is also a Trojan Backdoor, you should also do the following .....

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, and financial institutions. Inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.

Please take some time to read the following articles.

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

If you are not confident of re-formatting your computer on your own, then most repair shops will do it for a reasonable fee, alternatively one of the "general purpose" help forums will talk you through the process. We are a Malware removal forum and our expertise is solely restricted to removing Malware.

Below are links to a number of forums that can help you with a re-format, the quality of help at them is generally of a high standard ....

http://forums.whatthetech.com/index.php?showtopic=91962
http://forums.whatthetech.com/index.php ... wforum=119

http://www.geekstogo.com/forum/forum/5- ... 0-2003-nt/

http://www.bleepingcomputer.com/forums/forum56.html

http://www.techsupportforum.com/microso ... p-support/

It is not my purpose to abandon you, however it would not be right for me to give you some false hope that this infection can be successfully cleaned from your machine. I have seen lots of proposed cleanups for file infector infections and have yet to see one that was truly effective or didn't leave the computer user with a number of problems afterwards. They were also all much more time consuming than a re-format and re-install, which will leave you with a computer totally clean and free of infection.

Sorry I couldn't be the bearer of better news.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Jon14 » October 30th, 2010, 7:01 pm

Thank you for the response, although bad news. I am currently using a laptop and I am left with a bunch of questions now though.

If I have to reformat, which files can I save? I think this is the worst problem for me, seeing as I have 1.5 TB worth of media on my computer (probably over a million files on the 2 different drives) so it would be impossible to specificly save certain files without saving the entire folder. Is there any way I can detect the exact files that are bad and delete them so I can just copy the entire drives? I know you said that html and exe files are bad, but would that mean that if I just delete all the bad files (that the scan showed) I can save the rest of the drive? And I had a 1TB external portable drive connected the whole time, what do you suggest with that? Can I search that harddrive and my other harddrive in the PC (F:) to see if there is anything wrong with them, and then just leave them as is if nothing's wrong? And there was also a 250GB mp3 player attatched at various points, so guess the same question goes for that.

Also, you mentioned passwords. This might even be a bigger problem. Is there any way of knowing that someone has gotten a hold of my email, paypal, bank account, as I may have visited all of these in that time period. I read that they can take a hold of your email account and send emails on behalf of you?!? Even worse, is that I am connected to 3 other computers on my house's network, does this mean problems for them too?

You can probably tell that this really cripples me badly, as I am someone who relies on my computer for most of the day, for personal use, work, family, etc. and have been for a couple of years now with no problems. I greatly appreciate your help, and the only thing I can really ask now is that you answer these questions. Thanks for the help though. The computer is now on, although disconnected from any internet connection to try and prevent further damage.

And one last thing, looking over the results from that scan, I see a lot of FireFox infections. I don't use Firefox and never have, just to get that out there. So maybe that's actually a positive in a way?

_________________________________

EDIT - Alright, so it's a few hours after i posted that and I have some clarifications of my earlier questions. First of all, I have done some more research and I now see more and more people saying what you said about how this one's a killer and can't really be fixed. Some people claim to have fixed it, but it may not have been the same exact problem.

So right now, pretty much I only have the two other issues. The first being the passwords/email/other computer problems. I know they say this about a lot of viruses, but since this one seems to be SO lethal I am a little more concerned. I know it has to be treated as a big issue, but my question here is if it's a likely chance that someone got ahold of passwords/info or more of a general safety issue? I know it needs to be treated as a chance, but, not to repeat myself, is there any chance of knowing about emails accounts/other accounts' being hacked into? I think that's the immediate concern I have here, as I have accepted that the computer is infected.

The second half to that question would be how to know if the other drive in my computer was infected. I know the main drive (C) is obviously infected, but I would like to make 100% sure that the F drive and my other two portable drives aren't. What do you suggest here?

When I get past those issues I can move onto the back-up process which is another big issue for me.
Jon14
Regular Member
 
Posts: 35
Joined: April 22nd, 2010, 1:28 pm

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » October 31st, 2010, 2:45 am

One of the problems with a file infector virus is it's extremely difficult to determine exactly which files are infected, since various files will be at different stages of infection and may or may not be detected by an anti-virus scan. The only safe assumption we can make is that there are a great deal more files infected than may currently be detected.

File infections add their code to legitimate files. Old file infectors used to add their code either before or after the host coding so could usually be fairly easily "disinfected". However in most modern file infectors the code is injected into the empty spaces in the host coding, it is also usually encrypted and polymorphic (changes its appearance for each infection) which makes it almost impossible to remove without damaging the functionality of the host file, it also makes detecting the infection much more difficult, which is why it's hard to determine precisely all the files that may be infected.

The only way to remove them is to replace any infected files, but since we don't have an accurate count of which files they are, and since leaving even one infected file in place will re-generate the infection, then the only safe option is a re-format.

Ramnit will spread to external drives, so you should scan those drives for signs of infection, the E-Set online scanner should allow you to do that if they are attached to your computer. If your external drive does not show signs of infection then you're faced with either re-formatting (to be absolutely sure you're safe) or taking a calculated gamble that the infection has not spread that far. That's your call I'm afraid I can't really give much more help in that regard. With the amount of data you have stored on your computer and drives I think you're probably going to have to make some pragmatic decisions.

If you have drives that were not connected whilst you've been infected, then do not connect them to your computer, since doing so may cause them to become infected. The best option in that case is to do a basic re-format your main computer (don't add back your personal stuff), then attach the "suspect" drives and scan them. If they are clean all well and good, if not then re-format both them and your main computer again.

As your computer was connected into a network you need to scan any other computers in that network.

With regard to passwords etc. Backdoor trojans are almost always accompanied by some kind of keylogging functionality (all the ones I've ever seen are anyway), and most keyloggers are specifically written to look for bank account details, credit card numbers, passwords and personal and private account numbers. If you have a backdoor on your computer you must assume that those items have been compromised. Most modern infections are not written by script-kiddies who just want to have "fun" at your expense, they are written by professional criminal programmers whose purpose is to make money out of you, so identity theft is a very real threat.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Jon14 » October 31st, 2010, 3:53 pm

Thanks a lot for the detailed response. I appreciate it a lot. Reformatting is the best way for me to go, and I think maybe it's about time. I have broken my "to do" list down into four parts now. 1) Making sure no email/money/other important sites were hacked into. For now everything on the internet side of things looks ok, now it's just a matter of bank/money accounts. 2) Finding out if the network computers, the secondary drive and external drives were infected, which I have found out that the network computers and externals weren't, but the secondary internal drive is just as bad as Drive C. 3) How I am going to backup and which files I will backup. Probably the biggest question now. 4) Reformat!

Before I get into the main issues, my computer is starting to come up with the "Windoes is not genuine, activate Windows. You have 2 days left" notice. Is this as big of a problem I think it will be? Will Windoes actually stop working in three days? I guess the virus got this to happen as well. This really came out of nowhere and if true can pose a huge threat snce I was relying on time for this whole process.

I have changed the passwords to all of my important sites (email, paypal, ebay, bank account and a bunch of other sites I have accounts on, including this one). Do you suggest I still go through with calling up the card companies and putting my cards/accounts on watch? I had my bank account and a few credit cards in Paypal, but I know that if I ever suspect anything wrong with my accounts they are always taken care of with a simple phone call, so I guess I will be paying extra care to my statements online (I don't use these cards much). Another thing is the network/internet connection key. Does that have to be changed, because i'm not sure I can do that without causing a lot more problems for everyone else on the network. And the computer is disconnected from the internet, so can these intruders still be remotely accessing it/causing more damage? I should note that I am pretty sure the virus was in the computer from the day I started this thread (Oct 26). It was connected to the internet at all times (never turned off) until yesterday night when I disconnected from the internet connection.

In terms of the computer being connected to the network, I don't think the virus has gotten to any of those as i've checked the laptop (that it was constantly wirelessly connected to) with the ESet scanner, it only found 3 minor infections that were easily removed. Next, I plugged both of my external drives (1 TB & 250 GB) into the laptop (i know it was risky, but I don't have much to work with here) and did the scan for those two with ESet, and nothing was found on either of them. I should note that those two drives ONLY contain folders, mp3 files, pictures and some videos. No .exe, .dll or .htm files. Would these drives still be able to become infected? And how long do you think I should be checking these (laptop and 2 externals) to see if they're still not infected? Because I know you said that infections may not show up at first.

And you said they only can get into .exe, .htm and .dll files? If so, then (while it would take forever) I can take the timee to back up everything else I need from my computer, besides those types (and other similar types).
___________________________________

UPDATE - So a few hours later, I have done a full system scan of the computer using AVG. Thousands of viruses are showing up, all of which are .exe, .dll & .htm files. My secondary drive also is showing up as having a couple thousand as well. I guess that solves that problem, both drives are infected. And that also means they both have to be reformatted. So that's pretty much where i'm at right now - the back-up stage. How do you think I can possibly do this? I have to backup hundreds of thousands of audio/video/picture/text files that will exceed the 1TB mark, meaning using CDs or DVDs is basically out of the question. I do have that 1TB portable harddrive that is (as I believe) currently not infected. I know you stated not to use a harddrive, but it might be my only choice here, what do you think? Especially considering I now supposedly only have 2 days left to use my computer before the Windows "expires". So that's the first question of how, now the second question of which. You said those three file types are the only types that I cannot backup, any others? That means I can backup all audio/video/picture/doc/txt documents? If so, then that makes things a lot easier, and I would be extra-careful selecting files (although it will take hours and hours to do, as long as it can be done).

So those are basically my last two questions before I get started on the main process of backing up. Thanks again.

And I found this page saying that using a harddrive to backup data files is okay, let me know what you think:

http://www.lockergnome.com/windows/2010 ... ted-files/
Jon14
Regular Member
 
Posts: 35
Joined: April 22nd, 2010, 1:28 pm

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » November 1st, 2010, 3:56 am

This infection supposedly only infects .exe .dll and html files, however I would also be careful about copying other executable file types (.com .scr etc). Music files, text files, photographs and videos should be safe to transfer.

Backing up with DVDs is by far the safest method, however you can backup to an external drive after first disabling autoruns, that way even if the infection transfers to the external drive it will not auto execute the moment you plug it in to your newly formatted computer. This will enable you to scan the drive before you access anything on it.

To do that .....

  • Download Flash_Disinfector and save it to your Desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds, and your desktop will disappear during the process (this is normal).
  • When done, a message box will appear. Click OK.
  • Your desktop should now re-appear.
  • If it doesn't.
    • Press Ctrl + Alt + Del to open Task Manager.
    • Click on File > New Task (Run...).
    • Type in explorer.exe and press OK.
    • Your desktop should now appear.

Repeat for all suspect Flash drives.

Next
  • Backup your data to the external drive.
  • Connect disk to re-formatted computer.
  • Perform online scan on external disk.
    • If clean transfer data to computer.
    • If not then you've got a long job with lots of DVDs.

With regard to the messages about Windows being illegal, I've not come across this before. To be honest I don't know whether this is a "legit" message from Windows because the infection has damaged the validation files or a bogus message from the infection itself.

You're probably best to contact Microsoft about the matter to find out whether your computer will actually lock out on you in 2 days or not, and if so ask if there is a work around while you transfer your data. You're welcome to refer them to this topic if you wish.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Jon14 » November 1st, 2010, 11:34 am

Thanks again, I have applied that Flash Disinfector to two drives, should I run the process again while they are both plugged in to make sure? Maybe when I'm done the backup? Also, was it wrong to plug the drive in before starting the program? I did that for the second drive and applied it while both were plugged in.

I know you said text files are okay, but do you think .doc and .nfo files are ok? I have been backng those up, so let me know if I shouldn't be. I found this list:

http://antivirus.about.com/od/securityt ... xtview.htm

which i'm using as a guideline for the files I shouldn't touch. I'm also trying to backup only the most important files to save the hassle.

And I think the windows message might just be legit. I am thinking that it will be "disabling" at around 7PM tomorrow for me, so I will try to backup everything before then. If it does disable at that time, will I still be able to reformat?
Jon14
Regular Member
 
Posts: 35
Joined: April 22nd, 2010, 1:28 pm

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » November 1st, 2010, 2:29 pm

.doc and .nfo files should be OK to backup.

The about.com article has a pretty good list of executable file types, I've no reason to believe Ramnit can attack any other then the ones I've already mentioned, but it won't do too much harm to err on the side of safety.

If you followed the instructions for flash infector as I gave them and got the confirmation message box for any drives you disinfected, then there's no need to repeat the process.

Re-formatting your hard drive is possible whether Windows locks out or not as long as you have your installation disks.

The instructions at the following site should help with any questions you might have ...... http://forums.whatthetech.com/index.php?showtopic=91962
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Jon14 » November 1st, 2010, 3:08 pm

Alright, so i've backed up about half of the C drive, hopefully I can get both drives backed up before the end of the day. For the flash inspector program, I ran it twice, once with the first drive plugged in and again with the second in (while the first one was already in). A box did come up both times saying "Finished!" or "OK!" or something like that.

When I am done with the backing up I will let you know of any issues/questions I may have and will look over that link you posted. Thanks again.
Jon14
Regular Member
 
Posts: 35
Joined: April 22nd, 2010, 1:28 pm

Re: Win32/Zbot.E & VBS/Generic Virus??

Unread postby Gary R » November 1st, 2010, 7:15 pm

You're welcome. :)

I'll leave this topic open for a couple of days or so, if you need to get back to me just post to it.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 17 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware