Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

recurring zbot.g virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

recurring zbot.g virus

Unread postby swiiper » November 3rd, 2011, 1:34 pm

Hi - thanks in advance.
AVG(8.something) finds this - lots of em. But they keep recurring. Safe Mode will not work. It also interferes with IE (totally) and partially with Firefox and Chrome. I cannot download DDS but I already had the HijackThis program on the desktop and here are the files.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32:24, on 03/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\AudioDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\SSSAudioControl.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MSN & Bing
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\Documents and Settings\Michael\Local Settings\Application Data\llhibira\toyulixq.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EDS] C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BatteryManager] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SUPBackGround] C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SSSAudioControl] C:\WINDOWS\system32\SSSAudioControl.exe
O4 - HKLM\..\Run: [Cm106Sound] RunDll32 cm106.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Hercules DJ Series] C:\Program Files\Hercules\Audio\DJ Console Series\HDJSeriesCPL.exe /boot
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [axlopsdm] C:\DOCUME~1\Michael\LOCALS~1\Temp\okgtpjuij\itpasuclajb.exe
O4 - HKCU\..\Run: [Facebook Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ToyUlixq] C:\Documents and Settings\Michael\Local Settings\Application Data\llhibira\toyulixq.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AudioDeviceService - SSS - C:\WINDOWS\system32\AudioDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hercules DJ Control MP3 (HerculesDJControlMP3) - Unknown owner - C:\Program Files\Hercules\Audio\DJ Console Series\drivers\x86\HerculesDJControlMP3.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
Really appreciate the help. Thanks
Mike
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm
Advertisement
Register to Remove

Re: recurring zbot.g virus

Unread postby askey127 » November 5th, 2011, 7:33 am

Hi swiiper,
Sorry for the delay.
If you still need help and are not receiving it elsewhere, please proceed as follows:
-----------------------------------------------------------
Remove Registry items with HijackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\Documents and Settings\Michael\Local Settings\Application Data\llhibira\toyulixq.exe
O4 - HKCU\..\Run: [axlopsdm] C:\DOCUME~1\Michael\LOCALS~1\Temp\okgtpjuij\itpasuclajb.exe
O4 - HKCU\..\Run: [ToyUlixq] C:\Documents and Settings\Michael\Local Settings\Application Data\llhibira\toyulixq.exe

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
---------------------------------------------
Download the OTL Scanner
Please download OTL.exe by OldTimer and save it to your desktop.
(If you cannot download OTL, post back and let me know.)
---------------------------------------------
Run a Scan with OTL
  • Double click on the icon to run it. For Vista or Win7, right click the icon and choose "Run as administrator".
  • Check the boxes labeled :
    • Scan All Users
    • LOP check
    • Purity check
    • Extra Registry > Use SafeList
  • Make sure all other windows are closed to let it run uninterrupted.
  • Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. (desktop)
The Extras.txt file will only appear the very first time you run OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: recurring zbot.g virus

Unread postby swiiper » November 5th, 2011, 1:52 pm

Hi - thanks for the help.
i did the hijack this steps.
It wont let me run oTL though.
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot.g virus

Unread postby askey127 » November 5th, 2011, 3:27 pm

swiiper,
------------------------------------------------
Download and Run Rkill
Please download and run the tool named Rkill, which may help in allowing other programs to run.
There are different versions with different names. If one of them won't run ,then download and try to run one of the other ones.
XP Users can just double-click.
You only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools. Either ignore the warnings or shutdown your antivirus.
Please download Rkill from one of the following links (note the different names) and save to your Desktop:
iExplore.exe
Rkill.exe
eXplorer.exe
RKill.com
RKill.scr
Rkill.pif
uSeRiNiT.exe
  • Double-click on the iExplore, Rkill, eXplorer, or uSeRiNiT desktop icon to run the tool.(
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If you get a Warning Message when you try to run it, run it again while the Warning Message is still displayed.
  • If it doesn't run on the first try, please try to run it another two or three times.
  • If it still does not run, delete the desktop entry. Then download and use the one provided in the next link.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided after trying each a few times, please let me know.
If you can get one to run, then proceed with OTL.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: recurring zbot.g virus

Unread postby swiiper » November 7th, 2011, 7:20 am

Hi askey127

Tried the all a few times. Keep getting the ...is not a valid win32 file... error message. Each one appeared to download to my desktop but they show as having 0 bytes! Although on the .scr and .pif nothing happened.
I'm on XP SP3 and using Firefox. IE and Chrome will not work. I downloaded TheWorld browser just to try a different one but no luck using that either.
I tried running OTL again in case it worked but it won't run. It's there, it opens but no response to run scan I'm afraid.

Thanks for you help.
Swiiper
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot.g virus

Unread postby askey127 » November 7th, 2011, 7:37 am

swiiper,
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    (Vista - W7 users: Right-click and select "Run As Administrator")
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the main directory of C:
    (the dd.mm.yyyy_hh.mm.ss numbers in the filename represent the time/date stamp)
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: recurring zbot.g virus

Unread postby swiiper » November 7th, 2011, 8:18 am

desktopscreen.JPG
Same as before. It appears to download (but actually 0 bytes) and after rename also same result - not a valid win32 file.
You do not have the required permissions to view the files attached to this post.
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot.g virus

Unread postby askey127 » November 7th, 2011, 12:17 pm

swiiper,
Please follow these directions carefully.
No matter what you see or think, DO NOT DELETE ANY FILES UNLESS I ASK !!

Hit the three keys Ctrl-Shift-Esc simultaneously.
You should see the Task Manager Window.
Click on the Processes tab.
Click "Show Processes From All Users" at the bottom.
Click on the Image Name column so that, alphabetically, the a-b-c filenames are at the top.

Now, in the list of "Images Names" at the top, do you see one whose name is a bunch of numbers, with the file type of a .exe ?
If you do, please note down the exact name of the image shown and post it back here.
If you don't see such a file, please post that information back here also.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: recurring zbot.g virus

Unread postby swiiper » November 8th, 2011, 4:51 am

No such file in Processes
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot.g virus

Unread postby askey127 » November 8th, 2011, 7:58 am

swiiper,
-----------------------------------------------
Run exeHelper
Please download exeHelper and save to your desktop.
Double-click on exeHelper.com to run the program.
A black window should pop up. Wait for the fix sequence to be completed, then press any key to close the window.
Post the contents of log.txt (Will be created in the same place as exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - it will then have written two logs into the same file).

Then you can check whether you can run TDSSKiller and scan with OTL per the original instructions..
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: recurring zbot.g virus

Unread postby swiiper » November 8th, 2011, 5:08 pm

not looking too promising!

exeHelper by Raktor
Build 20100414
Run at 20:57:16 on 11/08/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot.g virus

Unread postby askey127 » November 9th, 2011, 8:27 am

-----------------------------------------------------------
Start Your Computer in Safe Mode with Networking.
Reboot into Safe Mode by tapping the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode with Networking from the list.
In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
On Dell laptops it is the F12 key.
No matter what you read on the Internet or elsewhere, DO NOT FORCE A SAFE MODE BOOT BY EDITING MSCONFIG
Then try to run an OTL scan, and download and run TDSSKiller. If you can Download TDSSK in this mode, run it first.
It looks like you already have successfully downloaded OTL, so leave it on your desktop.

TDSSKiller is here: http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Save to your desktop if you can.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: recurring zbot.g virus

Unread postby swiiper » November 10th, 2011, 3:03 pm

it won't allow start up in safe mode
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm

Re: recurring zbot.g virus

Unread postby askey127 » November 10th, 2011, 3:32 pm

swiiper,
I believe you have a seious rootkit infection.
Is there any way you can retrieve the file TDSSKiller log from the c: drive main directory.
You said it found nothing. I would like to look at the file.
The log file is named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt and is saved to the main directory of C:
(the dd.mm.yyyy_hh.mm.ss numbers in the filename represent the time/date stamp)

You may need to download this to a flash drive from a clean machine, and run aswMBR from there.
-----------------------------------------------
Run aswMBR
Download aswMBR.exe and save to your desktop.
Double click on aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click "save log". Save it to your desktop or flash and post the contents in your next reply.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: recurring zbot.g virus

Unread postby swiiper » November 11th, 2011, 6:09 am

Will do. I'm going to be away until Sunday now, so will do it then. Please do not shut down this topic.
Thanks
swiiper
Regular Member
 
Posts: 36
Joined: November 3rd, 2011, 12:44 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 412 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware