Help cleaning up remnants of the Zbot virus

system · August 20, 2014, 11:46pm

Quick overview, I am cleaning up my parents laptop for them as they noticed that is was running very slowly. They only had the McAfee anti virus software free trial that came with the computer, it expired over a year ago. I recently downloaded malwarebytes and Avast, ran them multiple times and clean everything they said to remove.

I ran windows defender and it said that the computer was infected with the Zbot Virus as well. It was removed however, Malwarebytes and Avast are now popping up every 2 minutes with the “malicious website blocked” message. They show that the wininit.exe, dllhost.exe, and svchost.exe are the processes being used.

I need the help of experts to get this cleaned up. I have attached my scan logs.

Thanks,
Steve

system · August 21, 2014, 4:47am

Thank you for posting your logs. Please do not make any changes to the machine now that the logs have been posted. One of the malware removal specialist will be along to assist you. They come on the forum at different times, so please be patient. Thank you.

essexboy · August 21, 2014, 1:12pm

I see you have run combofix, could you attach that log

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

system · August 21, 2014, 2:18pm

Thank you for taking the time to help me with this essexboy. Attached is the combofix log I tried to paste the TDSSKiller report but it exceeded the 20000 character limit for a post. I have attached the report log instead.

essexboy · August 21, 2014, 2:30pm

Unfortunately the log was saved as Unicode

Did TDSSKiller find anything

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

TDL4: custom:26000022 <===== ATTENTION! EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

system · August 21, 2014, 3:47pm

TSSDKiller showed 0 threats. I have attached the fixlist output from FRST.

essexboy · August 21, 2014, 4:09pm

Are the alerts still occurring ?

system · August 21, 2014, 4:14pm

Unfortunately yes they are still popping up.

essexboy · August 21, 2014, 4:25pm

Could you screenshot one of the alerts and post that please

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · August 21, 2014, 4:59pm

Screenshot and adwcleaner text file attached. Pop ups are still occurring.

essexboy · August 21, 2014, 5:16pm

Is it just MBAM producing the alerts now ?

http://urlquery.net/report.php?id=1395987316777

http://zulu.zscaler.com/submission/show/d87ca3eaa4972821193fbe986e98df64-1408641978

http://whatmyip.co/info/whois/88.214.193.54

system · August 21, 2014, 6:02pm

Yes, I haven’t had an alert from Avast in 30 minutes. Malwarebytes is still popping up every minute or so. Depending on what I am doing the pop up shows one of 3 processes being used. Either, svchost.exe, dllhost.exe or wininit.exe and the port number changes every time.

system · August 21, 2014, 6:09pm

Spoke too soon, this just popped up. (see attachment). This is most common pop up message that Avast is giving me.

essexboy · August 21, 2014, 6:27pm

Could I have a fresh FRST scan please

system · August 21, 2014, 6:38pm

Here you go.

essexboy · August 21, 2014, 7:22pm

If this does not stop it I will have to dig deeper

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2014-08-18 13:14 - 2010-01-13 11:34 - 00000000 ____D () C:\f207b31 2014-08-18 11:48 - 2014-04-26 16:01 - 00000075 _____ () C:\Windows\system32\dqxy.gxu Task: {6E8D3005-10CE-4E8A-B4A9-CA98531F6940} - \Security Center Update - 2502490818 No Task File <==== ATTENTION Task: {E05916A1-4A1D-4629-BEC5-116F90B73CA7} - System32\Tasks\Games\UpdateCheck_S-1-5-21-3141692611-1213430321-1281971925-1000 HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\73782371.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\90002223.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\73782371.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\90002223.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MpfService => ""="Service" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

system · August 21, 2014, 7:42pm

Here is the updated log. I am still getting the Avast and malwarebytes pop ups. They are indicating that the wininit.exe process is involved.

Thanks

system · August 21, 2014, 7:54pm

Not sure if this will help you in narrowing down the issue or not, but I have noticed that whenever the *32 version of the process is running in task manager that is when I am getting the pop up messages from avast and malwarebytes.

For example wininit.exe and wininit.exe *32 were both running and I was getting the messages saying that the wininit.exe process was being blocked. I ended the wininit.exe *32 process and then the svchost.exe *32 process started running. The very next pop up message was showing that both avast and malwarebytes were blocking the svchost.exe process.

Same thing happens to the *32 version of dllhost.exe

essexboy · August 21, 2014, 7:57pm

Yes very helpful give me half an hour

essexboy · August 21, 2014, 8:10pm

Run FRST and in the searchbox type the following :

dllhost32.exe;svchost32.exe;wininit32.exe

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

Press search files
On completion a search text will be generated please post that

Then run a second search typing the following in the searchbox :

dllhost32.exe;svchost32.exe;wininit32.exe

Then press search registry

Post the new search text

Help cleaning up remnants of the Zbot virus

Announcements