avast! alerts on mnogofiilok.ru/public_htlm/baskov.bin

Viruses and worms
1

I am getting avast alerts every 15 minutes or so (see below). I always run with avast and Zonealarm active - have done a full scan, a Spybot S&D scan and checked the Zonealarm log - without any particular results. My only recent change in usage is to move from IE8 to Chrome a week ago. This doesn’t relate to current internet activity as I have only my Google calendar and avast open at the moment - and there goes another alert!

ZeuS Tracker tells me is a ZeuS bot? I can’t even see Zonealarm blocking the IP address that Zeus Tracker quotes.

Can anyone tell me how I get rid of whatever this is?

Mike V

avast! Network Shield has blocked a harmful site.

Object: mnogofiilok.ru/public_htlm/baskov.bin
Infection: URL:Mal
Action: Blocked

either mainly …
Process: C:\WINDOWS\Explorer.EXE
or twice …
Process: C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
or once…
Process: C:\WINDOWS\system32\svchost.exe

2

Download, Update & Run Free Mbam. http://www.malwarebytes.org/mbam.php
Let it quarantine what it finds and post your results here.
asyn

Report 2010-11-25 16:25:16 (GMT 1)
Website mnogofiilok.ru
Domain Hash f15d1a4ec7b165682286982c14da8165
IP Address 91.217.249.168 [SCAN]
IP Hostname -
IP Country – (–)
AS Number 51554
AS Name LYAHOV-AS Lyahovich Maksim
Detections 5 / 17 (29 %)
Status DANGEROUS

3
Process: C:\WINDOWS\Explorer.EXE or twice ... Process: C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe or once... Process: C:\WINDOWS\system32\svchost.exe

still using 4.8 ??

4

Fail! 4.8 doesn’t say “Infection: Url:mal”

@OP not sure if it helps, but you could try ZbotKiller, as this mnogofiilok.ru seems to be Zbot domain.

5

Thanks for that info. The single result from Malwarebytes is:

Trojan.ZbotR.Gen HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{2EB19EBD-8785-D799-BAF8-CEC42B2BF14C}

I ran regedit (about as far as my tech knowledge goes) and found that the Data associated with this is:
“C:\Documents and Settings\Mike\Application Data\Iwakuh\xaava.exe”. I had deleted this folder yesterday as I couldn’t identify it.

Hope this helps. Presume I should just “remove selected” in Malwarebytes.

and …
Using 5.0.677 avast!
Haven’t tried Zbotkiller yet, hopefully won’t need to.
Mike V

6
Hope this helps. Presume I should just "remove selected" in Malwarebytes.
yes, and could you post the hole MBAM scan log here
7

Here it is - hope it’s done what you wanted it to!
Just while typing this, the alert has come up again - is a restart necessary to finally clear it - or is there more to this…?
Mike

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 5188

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/11/2010 17:05:55
mbam-log-2010-11-25 (17-05-55).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 236731
Time elapsed: 1 hour(s), 15 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{2eb19ebd-8785-d799-baf8-cec42b2bf14c} (Trojan.ZbotR.Gen) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

8

Hey Mike,

You surely need an expert to handle zbot infections, essexboy have been notified. Make sure you obey him :slight_smile:

9

??? two shield didn’t block it?? still penetrated ?? or maybe the shield at that time is disabled??

10

ummm speak english please(understandable one, I mean)

cause I can’t make any sense of WHAT are you trying to tell

11

Hi there Mike V lets have a quick look

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

12

Hi essexboy,

I attach the two log files you requested. Hopefully there’s nothing left to do though (Malwarebytes seemed to clear it at the 2nd attempt).

but first - a BIG BIG big thanks for you & everyone, you’ve been so helpful (and quick) and have undoubtedly saved my arse on this one! Much appreciated and my apologies for not responding to you earlier - got completely tied up at work yesterday.

Mike

13

They look clean - run OTL and hit the clean up button to remove it ;D

14

You’re welcome…!
asyn