How to remove Zeus/ZBot

Hi,

I’m having difficulty removing what I think is Zeus/ZBot virus. I have carried out a quick scan which identifies MBR:\PHYSICALDRIVE1 Threat:Rootkit hidden boot sector

So I rebooted as advised to carry out boot time scan which took hours. At the end, a number of things were identified and they seem to have been dealt with. I then tried logging into PayPal to check if the virus had gone and it was still there. I did another quick scan and it revealed the same result.

I’m at a loss as to what to do next.

cheers,

Stephen

Download and run aswMBR.exe http://public.avast.com/~gmerek/aswMBR.htm

  • Double click the aswMBR.exe to run it
  • Click the “Scan” button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Thanks for the reply.

Here’s the log

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-23 16:56:46

16:56:46.906 OS Version: Windows 5.1.2600 Service Pack 3
16:56:46.906 Number of processors: 2 586 0x401
16:56:46.906 ComputerName: SR-PC UserName:
16:56:47.656 Initialize success
16:56:49.984 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
16:56:49.984 Disk 0 Vendor: ST380013A 8.01 Size: 76319MB BusType: 3
16:56:49.984 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP1T0L0-17
16:56:49.984 Disk 1 Vendor: WDC_WD800JD-75JNA0 05.01C05 Size: 76293MB BusType: 3
16:56:52.015 Disk 1 MBR read successfully
16:56:52.015 Disk 1 MBR scan
16:56:52.015 Disk 1 MBR hidden
16:56:54.015 Disk 1 scanning sectors +156232125
16:56:54.031 Disk 1 PE file @ sector 156232150 !
16:56:54.046 Disk 1 MBR [Win32:MBRoot] ROOTKIT
16:56:54.046 Disk 1 trace - called modules:
16:56:54.046 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86561aed]<<
16:56:54.046 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0x87146ab8]
16:56:54.046 3 CLASSPNP.SYS[f75fefd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-17[0x8717ed98]
16:56:54.046 Scan finished successfully

cheers,

Stephen

Hi…
first we need to see what it is all abaut…

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic.

16:56:52.015 Disk 1 MBR read successfully 16:56:52.015 Disk 1 MBR scan 16:56:52.015 Disk 1 MBR hidden 16:56:54.015 Disk 1 scanning sectors +156232125 16:56:54.031 Disk 1 PE file @ sector 156232150 ! 16:56:54.046 Disk 1 MBR [Win32:MBRoot] **ROOTKIT**
could be sinowal

Hi,

In one of the scans, I did see sinowal; sinowal@mbr [rtk]. When looking for solutions elsewhere, the box asking for bank details led me to believe it was Zeus hence the thread title. Sorry if that was misleading.

Attached should be DDS.txt

Detection for Zeus and “malciious friends” stays problematic,
re: http://www.prevx.com/blog/137/Detecting-and-Removing-the-ZEUS-Banking-Trojan.html
From that article:

As a recent hyped article claimed ZEUS frequently bypasses popular antivirus and internet security suites. The criminals are careful to infect just a few PCs with each copy of the Trojan, thereby avoiding detection by honepots/nets and subsequent researcher attention in security labs. By the time each copy of a ZEUS Trojan is identified by security researchers it’s job is done and a new fresh version will be dispatched to takeover its role.

But this does not go for the malware removal routines that essexboy has up his sleeves, whether it is a sinowal or zeus infection,
cleansing is performed,

polonus

Looking at the DDS.log it looks as you have Avira and avast installed ??? is that correct

see reply from quietman7
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638

Hi,

Yes I did have Avira and Avast. I was using Avira and it couldn’t detect the problem. My research indicated Avast may be a better option. It detected the problem. After reading the article, I have since removed Avira.

cheers,

Stephen

Following this instructions :wink:

You have avast & avira antivirus installed.
Uninstall avira from Control Panel.
Then use avira uninstaller tool to remove remains.

http://uninstallers.blogspot.com/

Then I need Combofix ,TDSSKiller & fresh awsMBR log logfile.

Follow by steps:

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Post log reports ( ComboFix.txt) back to topic.

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.


copyright by: essexboy

Also please re-run aswMBR but before you run please download the fresh version of aswMBR

Here’s the ComboFix file. Doesn’t seem to be much in it. Is that OK so far?

If that’s OK, I’ll carry on with the rest of it. Don’t want to do more things if the next step is reliant on ComboFix doing something it hasn’t managed to do as there were some error boxes that came up about the registry. Sorry I didn’t take note of what they said.

cheers,

Stephen

No,sorry bat Combofix log is not complete.
You need to copy my content of C:\Combofix.txt
If log is not there please re-run Combofix again.

Then run TDSSKiller and awsMBR as I wrote above.
Might seem complicated but it is not. Its very easy and short duration of scans…

ComboFix seemed to work this time. Log.txt attached.

In the end, I did run tddskiller after the first run of ComboFix and it found malicious files and cured them. It then rebooted and I had a log file but just at that moment, the last post by magna86 told me to run ComboFix again. So I did and log attached. I have run tddskiller again and this time, it said nothing was found.

Ran aswMBR again.

cheers,

Stephen

I can now log into PayPal without the problem I had. Thank you very much. Does that mean it’s gone?

cheers,

Stephen

I apologize for the delay. I had a busy day…

Re-run awsMBR and select options “Fix” if available. Paste here log.

I have run tddskiller again and this time, it said nothing was found.

How abaut a suspicious file? It is some file detected?
Try to search TDSSKiller log or Re-run program becouse for some reason I can not see properly his log :-\

edit: Logreport from TDSSKiller save it to Desktop as encoding:ANSI. (see picture)

I ran awsMBR again. The fix option was greyed out but the fix MBR option was available. What should I do?

cheers,

Stephen

I’m not sure if I understand you.
When you started awsMBR scann,and when it finish scan,did he show Fix button as available?
See the ScreenShot?
http://public.avast.com/~gmerek/aswMBR.htm

Tell me now for computer state (after Fix )

Additional checks:
Please download MBRCheck.exe to your desktop.

[*] Be sure to disable your security programs
[*] Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*] A small window should open on your desktop
[*] if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
[*] If nothing unusual is found just press Enter
[*] A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

See Screen shot for what I mean. New aswMBR file attached.

cheers,

Stephen

I think the “FIX” is greyed out if it does not detect anything ?

Stephen, do you have a Combofix log? MBR is fine.