Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer is very slow and NOD32 informs attacked by Spy.Zbot

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer is very slow and NOD32 informs attacked by Spy.Zbot

Unread postby rickronn » November 2nd, 2011, 1:47 am

Hello, my computer has become very slow. I tried to scan with NOD32 and was advised that it was attacked by Spy.Zbot.ZR trojan. Below are the logs after running DDR & Malwarebytes' Anti-Malware.

Log from NOD32 Scan

2011/11/1 下午 06:03:10 Real-time file system protection file C:\WINDOWS\SYSTEM32\RunFolders.exe Win32/Packed.FlyStudio.O.Gen potentially unwanted application KYTANG\KYTANG Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.

2011/11/1 下午 05:00:39 Startup scanner file Operating memory a variant of Win32/Spy.Zbot.ZR trojan unable to clean KYTANG\KYTANG

2011/11/1 下午 04:57:06 Startup scanner file C:\Documents and Settings\KYTANG\Application Data\Idomfi\evnaabi.exe a variant of Win32/Kryptik.UPQ trojan cleaned by deleting - quarantined KYTANG\KYTANG

2011/11/1 下午 04:54:18 Real-time file system protection file C:\Documents and Settings\KYTANG\Application Data\Ovzeaw\afeto.exe Win32/Spy.Zbot.YW trojan cleaned by deleting - quarantined KYTANG\KYTANG Event occurred during an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by KYTANG at 13:19:56 on 2011-11-02
Microsoft Windows XP Professional 5.1.2600.3.950.886.1028.18.255.46 [GMT 8:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Green Software\工作列管理大師-Visual Tooltip v2.2 繁體綠化版\VisualToolTip.exe
C:\Program Files\Green Software\讓XP擁有比Vista更炫的3D視窗特效-WinFlip v0.50 繁體綠色版\WinFlip.exe
C:\Program Files\Drive Space Indicator\DrvSpace.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Green Software\記憶體優化軟體-FreeRAM XP Pro v1.40 中文免安裝版\FreeRAM XP Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://hk.yahoo.com/
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\green software\讓檔案總管變的更漂剋-styler v1.401 繁體綠色版\tb\StylerTB.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FreeRAM XP] "c:\program files\green software\邕憶體優化軟體-freeram xp pro v1.40 中文吻安裝版\FreeRAM XP Pro.exe" -win
uRun: [{DFEFB883-ED91-7502-F445-755269A46367}] "c:\documents and settings\kytang\application data\idomfi\evnaabi.exe"
mRun: [Visual Tooltip] c:\program files\green software\工作圭管理大師-visual tooltip v2.2 繁體綠化版\VisualToolTip.exe
mRun: [WinFlip] c:\program files\green software\讓xp擁有比vista更炫的3d視窗盎效-winflip v0.50 繁體綠色版\WinFlip.exe
mRun: [DriveSpace] c:\program files\drive space indicator\DrvSpace.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [msdrm] msdrm.exe
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\netlimiter\nl_lsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 0120334984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{D3B04869-4614-4514-963B-B82D4FF63BC1} : NameServer = 203.198.23.208,218.102.32.208
Notify: WBSrv - c:\program files\green software\windowblinds\WBSrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
============= SERVICES / DRIVERS ===============
.
R0 amdagp8p;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagp8p.sys [2008-8-31 27648]
R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2008-8-31 7680]
R0 tmagp;Transmeta TM 8000 AGP Filter Driver;c:\windows\system32\drivers\TMAGP.SYS [2008-8-31 27648]
R0 ULiAGP;ULi AGP Controller Bus Filter Driver;c:\windows\system32\drivers\ULiAGP.SYS [2008-8-31 33408]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2008-8-31 45056]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-8-31 17920]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-1 22216]
S0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2008-8-31 9809]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2011-1-21 166720]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2008-8-6 63536]
.
=============== Created Last 30 ================
.
2011-11-01 09:44:12 -------- d-----w- c:\documents and settings\kytang\application data\Malwarebytes
2011-11-01 09:43:53 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-01 09:43:47 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-01 09:43:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-28 01:55:39 -------- d-----w- c:\documents and settings\kytang\application data\Omig
2011-10-28 01:55:39 -------- d-----w- c:\documents and settings\kytang\application data\Muuto
2011-10-27 09:03:03 -------- d-----w- c:\documents and settings\kytang\application data\Naly
2011-10-27 09:03:03 -------- d-----w- c:\documents and settings\kytang\application data\Enz
2011-10-27 02:23:21 -------- d-----w- c:\documents and settings\kytang\application data\Mure
2011-10-27 02:23:21 -------- d-----w- c:\documents and settings\kytang\application data\Dageku
2011-10-26 09:33:20 -------- d-----w- c:\documents and settings\kytang\application data\Okabomp
2011-10-26 09:33:20 -------- d-----w- c:\documents and settings\kytang\application data\Bie
2011-10-26 01:39:31 -------- d-----w- c:\documents and settings\kytang\application data\Idomfi
2011-10-26 01:39:31 -------- d-----w- c:\documents and settings\kytang\application data\Cie
.
==================== Find3M ====================
.
.
============= FINISH: 13:21:22.81 ===============
You do not have the required permissions to view the files attached to this post.
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am
Advertisement
Register to Remove

Re: Computer is very slow and NOD32 informs attacked by Spy.

Unread postby rickronn » November 2nd, 2011, 1:56 am

Sorry that I forgot to attach Malwarebytes' Anti-Malware scan log as below.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8059

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2011/11/1 下午 06:13:38
mbam-log-2011-11-01 (18-13-38).txt

Scan type: Quick scan
Objects scanned: 167694
Time elapsed: 25 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSUNatService (Trojan.Agent) ->

Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

(PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

(PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted

successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify

(PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted

successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\msnat48df.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\KYTANG\local settings\Temp\tmp08f28897\sims.exe (Trojan.Agent) ->

Quarantined and deleted successfully.
c:\WINDOWS\explorer.backup (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted

successfully.
rickronn
Regular Member
 
Posts: 18
Joined: November 2nd, 2011, 1:15 am

Re: Computer is very slow and NOD32 informs attacked by Spy.

Unread postby Wingman » November 2nd, 2011, 8:12 am

May I draw your attention to the Forum Posting Rules - Please Read, specifically this, which should have been read, before posting for help.

We're sorry, but it is necessary to close your topic because you have replied to it prior to receiving a response from a helper.

Due to adding on to your topic with your second post it is highly unlikely that you would have received a response. Our helpers are looking for topics with zero responses. When you post replies to your own topic, it no longer has zero responses, and so it appears that you have received help when in fact, you have not.

If you still require help, please open a new thread in the Malware Removal forum and wait for assistance. Please do not run additional programs and/or post additional logs. Just your DDS logs (DDS.txt and Attach.txt) to start with is adequate. Your helper will ask for additional logs as needed. DO NOT reply to your own topic until you have received a response from a helper. Be patient. There are others who have been waiting longer than you, so do not expect an immediate reply.
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 299 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware