win32:Zbot-mou

system · January 24, 2010, 9:36pm

Hello
My name is Harry. Please help me. Every time i start the computer (vista home premium) the avast4 find a win32:Zbot-mou(trj). What can I do to escape.
Thanks

essexboy · January 24, 2010, 9:39pm

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

If that does not clear the problem then we will look further

system · January 25, 2010, 8:11pm

Hi, I too am having problems with the above named trojan, and have tried all the above (including a full scan). Any solutions would be welcomed.

essexboy · January 25, 2010, 9:43pm

If you are still experiencing problems after running MBAM then start a new thread and post the link here ;D

system · January 25, 2010, 10:41pm

Hi their , same thing here , i downlaoded the link below but avast is still popping up saying the same thing , although the software did say it cleared it , but it didnt ?? not much online about this either ,

anyone any ideas what to do next ? can someone tell me what this could be doin to my girl friends laptop

See my report below

Malwarebytes’ Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

25/01/2010 21:27:40
mbam-log-2010-01-25 (21-27-40).txt

Scan type: Full Scan (C:|)
Objects scanned: 371197
Time elapsed: 1 hour(s), 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

system · January 25, 2010, 10:44pm

C:\Windows\Temp\ouia.tmp\svchost.exe

Win32:Zbot-MOU [Trj]

Trojan Horse

100125-1, 25/01/2010

essexboy · January 25, 2010, 10:49pm

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

system · January 25, 2010, 11:13pm

use avast and try a boot scan using avast then after all use http://Malwarebytes.org

system · January 25, 2010, 11:31pm

I have now tried all of the above suggestions and its not cleared. Is there anything else? ??? ???

system · January 25, 2010, 11:41pm

download this last options hope they can help you:

http://www.4shared.com/file/25210909/4742a13f/Trojan_Remover_662_Full.html?s=1

system · January 26, 2010, 12:12am

nope eman that didnt woek either , turning the laptop off now , but if anyone gets any ideas please post them ,

and if anyone can tell me what its actaully doin to the laptop , be much help

thanks for all the suggestions ,

polonus · January 26, 2010, 12:18am

Hi you Gordo134,

Use the manual removal instructions here: http://forums.spybot.info/showthread.php?t=47049
Remember that the malicious software you got was uniquely put there, so every version of Z-bot could go under the av/anti-malware radar. So you should evaluate first what you have there in order that you can cleanse it in SafeMode and later you could also uninstall and re-install System Restore,

polonus

system · January 26, 2010, 2:07am

ur right polonus bro, i suggest that u must go there in safemode, to go in safemode restart your pc and then click F8 then choose safemode then try to remove it manually or else use the software I suggest to you…,.

Don’t worry bro because there’s no problems that could not be solved…

Emman™

system · January 26, 2010, 2:28am

Hey thanks for the replies , i did try and remove it manually and it looked like it was going to delete but then windows said it couldnt find the file, the folder empited out but yet again 5 mins later avast said the same .

I was logged into msn messenger and one of my mates sent me a message , i just click on the right to see what it was , opened the email and it was a link to rapid share .com // surprise . and without thinking i clicked on it , nothing happened so i just closed the email box and left it at that , but we have since found out it was that email , and he was here tonight and said , i wasnt even on at that time , we have since spent all night warning everyone else, this is a real nightmare as my whole family uses the net to chat as we are al over the world and hes SENT IT TO EVERYONE in my family !!!

goin to try a system restore and il keep you posted thanks again and ANY TIPS PLEASE POST !

system · January 26, 2010, 3:14am

Well the system restore didnt work , and i tryed again to remove it manually but still no luck !

system · January 26, 2010, 8:14am

Hello there!
I have the same problem

C:\Windows\Temp\ppxi.tmp\svchost.exe

Win32:Zbot-MOU [Trj]

100125-2, 25/01/2010

but warning message from avast appears every 3 minutes ( not just when I start my laptop ), I tried Malwarebytes but it didn’t hepl.
Any ideas?

system · January 26, 2010, 3:08pm

Looks like five of us now then!
I slightly stupidly opened an e-mail attachment last night, from someone I know and who may well have sent me something called “surprise.exe” - somewhere around 64kb.
Since then I’ve had the same problems as the previous posters, win32:Zbot-MOU shows up every few minutes, plus occasionally get a Blocked attempt to contact a malicious site message.

Using Google Search, every time you click on a result Link you are redirected to some other site, usually shopping-related such as Ebay. If you copy the same result Link though, and open it in another window, then you get to the right site.

Every time it happens I get an empty folder with a random 4 letter prefix (e.g. txnp.tmp, aldg.tmp ) written to the C:WINDOWS\TEMP\ directory. Interestingly I also have an Avast Folder showing up in the same directory, and I’m interesting in finding out if this is a real Avast item, or created by the problem? This also shows up as an empty folder:
C:\WINDOWS\TEMP_Avast_\Webshlock.txt

I have run an up to date version of Malwarebytes, no luck though.
Am using XP Pro., SP3, Firefox.

Hope someone finds a solution soon…

essexboy · January 26, 2010, 7:49pm

Gordo134 could you do the following please

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

system · January 26, 2010, 8:46pm

Hi think we can safely say 6 of us on this forum

My problem is exactly the same as Dee8to10, i have also tried everything i can think of and i’m an IT Support Tech so i would say that i can be quite thorough, but this one has really Schtumped me

I have run the scan and here is my OTS report

http://www.mediafire.com/?tmuzzz5zn32

I realy hope someone can help as this one is really bugging me
I’m using Windows7, ie8

essexboy · January 26, 2010, 8:58pm

diviesh Does MBAM detect anything when run ?

win32:Zbot-mou

Announcements