Win32/Zbot Trojan

[McK1987]

Hi All,

I am currently working on a Desktop PC which has become infected with what looks like a variant to the 'Win32/Zbot' trojan. It shows up as Win32/Zbot.f. I have run malwarebytes, Superantispyware, AVG in both safe mode and normal mode. I have also ran Hitman Pro. There was a program call Internet Security Suite lurking about which appeared to be 'Rougueware which I have removed but the Win32/Zbot.f trojan is still kicking about despite trying several different program and ways to remove.

When the PC starts up, AVG reports that it can find all these trojans and that it 'Moves to Vault' but I'm not convinced. Also, I'm unable to gain access to internet. I noticed that the Hosts files seems to have been hijacked.

Has anybody seen this trojan before and if so, how did you remove?

Looking for assistance here as I'm starting to run out of ideas and I have searched google.

Last resort is to nuke and pave but would like to try avoid this action if at all possible.

Cheers Guys!

 

[TLE]

Other than scanning the PC with various AV solutions, have you tried manually cleanring the infection?

 

[McK1987]

I have searched the PC but having problems finding anything manually. This one is driving me crazy. Client really wants to avoid a nuke and pave even with data backed up so doing my best to get round it without having to do so!

 

[TLE]

Each time the PC is started does AVG find this? If it is found each time you start the PC, what was the location the affected files were found in?

Have you run Process Explorer and Autoruns to check for any unusual processes running?

 

[McK1987]

I have used both Process Explorer and Autoruns but found nothing suspicious.

As for the location of the infection, it's everywhere really. In nearly every folder in program files. Seems to be replicating like wildfire.

I can possibly post up a hijsck this log tonight.

Thanks for response, I'm really blown away with this one but determined at same time!

 

[MobileTechie]

Read this: http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=2

Assuming it's the same virus that article outlines the reg keys and likely files involved. Looks like it adds to the Run key and tags on the end of the userinit key. This should be apparent from Autoruns or regedit. However you'd expect MBAM to have dealt with that.

If it's modified the hosts file then edit out the changes. Also check for proxy and DNS changes. For instance, if it set up a proxy and you killed it then it will be trying to use an non-existent proxy server which would prevent web access. Also always check the mbr and tasks in case it's simply reloading itself after removal.

 

[iptech]

You need to be looking for a rootkit on that computer. I would suggest looking at the MBR first. Scanning software will only highlight secondary infections, they will not remove the rootkit.

 

[TLE]

If it's replicating then I don't think it's a Trojan, Trojans don't replicate, however Worms do.

Personally I wouldn't boot into windows in this scenario, I would be booting into an external enviroment such as Windows Standalone Scanner or Dr.Web boot disc.

 

[iptech]

If it's replicating then I don't think it's a Trojan, Trojans don't replicate, however Worms do.

Personally I wouldn't boot into windows bin this scenario, I would be booting into an external enviroment such as Windows Standalone Scanner or Dr.Web boot disc.

I agree, the core infection is occurring early in the boot-up process, trying to clean thing things off at operating system level is futile.

You should consider the trojan as a symptom of a primary infection, not the infection itself. Only when you've remove the root infection should you scan for secondary infections such as Trojans.

 

[McK1987]

Thanks Guys!

Any recommendations for best way to tackle MBR? Decent scanners for root infections?

 

[iptech]

Thanks Guys!

Any recommendations for best way to tackle MBR? Decent scanners for root infections?

If it's Windows XP use the Recover Console and use FIXMBR. The subject of rootkit removal tools is often discussed on this forum so it might be worth doing a search. I generally use GMER, Icesword and TDSS Killer. It's also worth compiling your own offline disk using WinPE or Linux that will allow you to analyse and work on the infected operating system partition from a non-infectable (i.e. non-writeable) medium such as CD.

 

[MobileTechie]

I prefer mbr.exe off the gmer site for checking the mbr as it usually works well inside of Windows even with a RK runnings and because it doesn't mess up custom mbr's.

Also the latest tdsskiller checks for some rootkit infections.

 

[ZenTree]

Gmer would be a good place to start

Is it certain filetypes that are infected? There was one that infected every html file on the computer, you need to kill the rootkit first and then eset online scanner was pretty good at clearing up the mess.

 

[othersteve]

Hey McK,

If you're still having trouble, download OTL.exe to the PC, rename it, run it, perform a Quick Scan, and then attach the resulting log. I will try to get around to it soon and create a cleanup script for you.

 

[fixitdaz]

Win32.ZBot tries to steal confidential user information, like passwords for email and online services. It installs a rootkit within the system directory and saves the credential data to hidden log files. A Win32.ZBot installer tries to disguise as a system file or uses a document icon for the purpose of deceiving the user.

Manual Removal Guide for Win32.ZBot

Let me no if this helps.

 

[fixitdaz]

came across this
Trojan-Spy.Win32.Zbot

Manual Removal of Trojan-Spy.Win32.Zbot.gen

1. If your using Windows XP, disable system restore first before proceeding.

Right click My Computer and click on Properties.
Click on the System Restore tab.
Put a check mark on Turn off system restore on all drives.
Click apply, then OK.
Restart the computer.
2. Boot into safe mode by pressing F8 key before the Windows logo appears then choose safe mode in the selection list, then hit Enter key.

3. Log-in as Administrator or under your account that has administrator privileges.

4. Show hidden folders and files by going to My Computer -> Tools -> Folder Options -> View Tab -> click show hidden folders, files and drives. Un-check hide operating systems files. Click OK.

5. Delete the following files

%System%\alg.exe

%System%\svchost.exe

%System%\lsass.exe

%System%\services.exe

%System%\lowsec\user.ds

%System%\lowsec\local.ds

%System%\sdra64.exe

6. Click Start -> Run, type regedit and click OK. User Account Control (UAC) will ask you if you want to authorize access, click Continue.

7. Locate the following registry entries and delete them.

HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}

8. Restart the computer and boot in the normal mode.



http://forum.sysinternals.com/sdra64exe-as-a-rootkit_topic22893.htmlhttp://forum.sysinternals.com/sdra64exe-as-a-rootkit_topic22893.html

 

[McK1987]

Thanks for all responses guys!

Knew I could rely on fellow techies! I'm a bit snowed under at the moment with work so once I get round to it, I will attempt all suggestions!

Luckily the client has another laptop and isn't bothered how long I have it for just as long as I return it minus the rootkit/trojan!

 

[McK1987]

Think a format and reinstallation of windows is in order as there seems to be no way round it. Hosts file is infected and just can't seem to release it! Only problem is I have no recovery, restore or reinstallation disc for the PC. Only a WinXP disk but I know i'll have problems with the Product Key!

 

[TLE]

Before you go and perform a N&P, what have you done\run so far to beat this infection?

 

[McK1987]

I have ran Spybot S&D and AVG scans in both Safe & Normal mode. I have ran Hitman Pro. I have ran RootKit Revealer, Gmer. I have ran Windows recovery and ran fixmbr. I have tried running combofix.

I have also tried renaming hosts file to hosts.bak and copying a new one over which it let me but still no luck.

I have ran MBAM and SS. I have ran Hijack this but it denies access on host file as it is full of redirects.

I really want to avoid a N&P as don't know how i will re-install Windows with no recovery disk but I really am finding it tough to clean this PC.