Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Cannot remove Win32/Zbot, keeps re-installing itself

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 7:00 pm

OK after much consternation, I managed to get Windows 7 validated again. It kept telling me that I had counterfeit software, and would not validate from the link I gave you, so I just used Windows Help to find instructions for re-entering the product key. Once I did that, it prompted me to install MSE again, so I uninstalled the existing MSE, and installed a new copy. It then downloaded new signatures, and ran a quick scan - showed as clean.
When I closed MSE, it prompted me to install Internet Explorer 11, which I DID NOT. I have an old version of IE, which is intact. Interestingly, though IE does not show up in the list of installed programs in the Control Panel. I never use it, always use Firefox version 27.0.1.

I'm turning the machine off now until I hear from you. Thanks so much for your patience and diligence!
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm
Advertisement
Register to Remove

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 18th, 2014, 7:10 pm

If you have successfully managed to re-validate Windows, then it looks like things should be pretty much back to normal now.

The files found by e-set are the quarantine files that FRST and Combofix create when they remove things, they cannot re-infect you, but we will remove them shortly anyway.

Have a "play" with your computer for a while, and if you're satisfied that it's behaving as you'd expect it to, then please do the following ....

First ...

Let's clear out Combofix and the files/folders it created
  • Click Start then type Run in the Search programs and files box.
  • Click on Run (which will be found at the top of the list of programs found)
  • Copy/Paste ComboFix /Uninstall into the Open: box.
  • Click OK
  • Combofix will now delete its files and folders and also perform the following function.
    • Clears System Restore cache and creates a new Restore point. This will remove any "malicious" System Restore files, which may have been created whilst your computer was infected.
IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next ...

To remove the other programs we've been using to clean your computer ...

  • Please download delfix and save it to your desktop.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Check all the boxes then click on Run.
  • Once it has finished, a notepad file named DelFix.txt will open. Post the contents of this notepad in your next reply.
  • The log can also be located at the root of the system drive, C:\DelFix.txt.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 7:41 pm

OK, are you satisfied that we have fixed it? Remember I did a full MSE scan last night, and it still found malware. Have we removed those, or are those just quarantined?
Going ahead with your procedure. Will report when done. Thanks!
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 18th, 2014, 7:57 pm

15. Uninstall ComboFix - Completed Successfully
16. Run Delfix - Completed Successfully

Delfix.txt:

# DelFix v10.6 - Logfile created 18/03/2014 at 18:54:28
# Updated 11/11/2013 by Xplode
# Username : Kitty Clark - KITTY4
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.2.8.16.0_15.03.2014_23.19.22_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_15.03.2014_23.21.00_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_15.03.2014_23.22.27_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_15.03.2014_23.25.10_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_15.03.2014_23.36.21_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_17.03.2014_03.15.11_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_17.03.2014_03.16.55_log.txt
Deleted : C:\TDSSKiller.3.0.0.25_15.03.2014_23.25.55_log.txt
Deleted : C:\TDSSKiller.3.0.0.25_15.03.2014_23.36.51_log.txt
Deleted : C:\TDSSKiller.3.0.0.25_17.03.2014_03.17.49_log.txt
Deleted : C:\Users\Kitty Clark\Downloads\Addition.txt
Deleted : C:\Users\Kitty Clark\Downloads\dds.com
Deleted : C:\Users\Kitty Clark\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\Kitty Clark\Downloads\Fixlog.txt
Deleted : C:\Users\Kitty Clark\Downloads\FRST.txt
Deleted : C:\Users\Kitty Clark\Downloads\FRST64.exe
Deleted : C:\Users\Kitty Clark\Downloads\tdsskiller.zip
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

########## - EOF - ##########
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 19th, 2014, 1:29 am

I'd like to see exactly what MSE is flagging as infection, since e-set isn't seeing anything but the quarantined files.

If you run MSE, click on the"History" tab, then click the "All detected items" radio button, it should show what was detected, and hopefully give some details.

If you can, post me those details please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 19th, 2014, 3:07 am

Good Morning!
I did get a full scan with only 1 result. I have already cleaned it, but I made notes on the infection. Apparently the downloader is hiding in a Backup Set on the D drive. Does E-set scan the D drive?

Trojan Downloader Win32/Upatre.B
Container D:\Kittty4\Backup Set 2014-3-17 022940\.....Backup Files 6.zip
File: C:\Users\Kitty Clark\App Data\Local\gvuphbox.exe

I let MSE remove the files. Then I deleted the whole backup set from the D drive. The last Backup did not complete. In fact, I deleted the Backup set the first time I found this zip file, before I initially contacted you, and Backup has not run successfully since. I have a scheduled backup at 6:00PM each day, and if the computer is not on at 6:00PM, it runs after the next power-up. None of the scheduled backup jobs ran to completion. I am re-running the backup to re-create the Backup Set. We'll see if it completes this time.

I also searched for the program gvuphbox.exe in AppData\Local, and did not find it.

My plan, with your permission, is to let MSE scan only the D drive after the Backup completes, assuming it does go to completion.
Then restart the machine, and scan D drive again to set if the zip file reappears.

I'll let you know if the Backup completes successfully.
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 19th, 2014, 5:37 am

MSBackup completed successfully, now scanning D drive with MSE custom scan.

It's 4:30am here, I'm going to bed!
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 19th, 2014, 7:52 am

What I was going to suggest is that you let MSE quarantine (or delete) the infected files it found, and then to run a new scan and see if anything is found the next time round.

When we removed FRST and Combofix, we removed the quarantined files they created, so they should not be present to be flagged in any new scans.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 19th, 2014, 2:06 pm

Good afternoon!
The D drive scan came up clean, I restarted the machine, and ran a full scan overnight, which also came up clean. Looks good from here!

I assume it's ok to run both machines on the network at the same time now?
I have seen no evidence of the router or my machine STEPHEN5 having been infected. Just as a precaution I will run a full scan on STEPHEN5 today.
I assume it's ok to re-install Spybot S&D on KITTY4 now? Or, perhaps you can recommend a better scanner for regular use? Spybot never showed anything at all out of the ordinary. Only MSE detected the infection.
Should I update Adobe Flash Player just to be sure I don't have a hacked version?

Thank you so much for seeing me through this ordeal. I will make a contribution to your organization.

Stephen Clark
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 19th, 2014, 3:51 pm

You're welcome, I'm glad we were able to help. :)

If your scans are now coming up clear, I think it's reasonable to presume that your machine is clear of infection, and you should be safe to run both machines on your network.

As far as protecting your system is concerned, I recommend you read through the following article ... viewtopic.php?p=557960#p557960 ... which makes some suggestions for securing your machine.

Personally I find the use of MSE and Malwarebytes Anti-Malware (the paid for version has real time protection) give about as much protection as you can reasonably expect, and are what I use on my machine. Yes they can be circumvented by someone who is determined to infect your machine, but then so can any other defensive system I know.

I wish I could say otherwise, but sadly there is no such thing as 100% safe internet browsing, and really, the best way to stay secure, is to have an endlessly suspicious and distrustful mind.

This site does not take donations, and is free of charge to all, but thanks for the offer, it is much appreciated. All we really ask is that you recommend us to your friends or anyone else you know who needs the type of support that we offer.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 19th, 2014, 4:11 pm

Excellent job, Gary.

And thanks for the link. I was a reseller of corporate network security tools before I retired in 2009 after 40 years in the business.
Hence I am quite educated in the nefarious ways of the internet. My wife just made an honest mistake, and she is very regretful.

I've tried MalwareBytes before, maybe I'll give it a go again. Thanks for the suggestion.

Your organization was accepting donations last time I used it in 2011, that's why I offered.
I shall be sure to recommend you and your organization to my associates.
If I wanted to commend you to your organization. how would I do that?

Cheers!

Stephen Clark
Last edited by StephenClark on March 19th, 2014, 8:10 pm, edited 1 time in total.
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 19th, 2014, 7:12 pm

The new site owner prefers to offer our services free of charge, and as to commending me, well actually I'm one of the guys in charge here, so you sort of already have. :)

Thanks for your kind words, they are much appreciated.

Keep safe, any problems get back to me.

Gary
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby StephenClark » March 19th, 2014, 8:17 pm

Thanks! It's been a pleasure working with you, also! :D

Best of luck to you,

Stephen T. Clark
President/CEO (Ret.)
Information Technology Associates, Inc.
Houston, Texas USA
StephenClark
Regular Member
 
Posts: 46
Joined: September 18th, 2011, 5:17 pm

Re: Cannot remove Win32/Zbot, keeps re-installing itself

Unread postby Gary R » March 19th, 2014, 8:53 pm

It's been a pleasure working with you also. :)

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 105 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware