Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Had to clean up a PC with zbot infection

0 views
Skip to first unread message

Virus Guy

unread,
Dec 1, 2009, 10:01:55 AM12/1/09
to
A friend with XP-sp2 thats not very computer savvy had followed the
instructions of one of those fake anti-virus popups in early November.
I told him to turn off his PC and do nothing till I look at it.

I've just gotten around to looking at it. First thing I did was remove
the drive and slave it to another XP machine running NAV 2002 with
current definitions. It found and quarantined 3 files.

I searched the drive for any files/folders that were created/modified
around the time of the infection and I found some files that I moved off
the drive and sent them to VT. Sure enough, they were viral (about a
60% detection rate, and with Symantec not detecting them). They were
located in System Volume Information directory, in one of the RP
sub-directories.

I then re-installed the drive back into the original PC and started it
up. This PC also had NSW 2002 but I couldn't start it. I wasn't sure
if NAV was expired so I removed NSW and re-installed it, but the NAV
portion didn't install. Strange.

And I can't bring up the task manager.

I downloaded MBAM and it found 4 files - all of them being .db files in
a twain_32 directory (I don't think they were executable files). I
submitted the files to VT and only one of the files was flagged by one
AV package (Mcaffee) as being a zbot CC file.

MBAM found over 700 registry entries that it wanted to nuke, and
detected nothing suspicious running in memory.

After MBAM, I could run NSW and sure enough NAV wasn't installed, so I
installed it and this time it worked. And I can now bring up the task
manager. I suppose it was a rogue registry entry causing those
problems?

Funny thing. Even though NAV did not flag the .db files as viral from a
scan done from the context menu, it DID raise a warning message when I
moved those files to another location on the drive. Strange.

The firewall had been disabled, so I re-enabled it.

I uninstalled Java JRE and installed the latest version. When I go to
javatester.org and test which version of java is running (with firefox)
I get an error that forces firefox to close. I bring up google and a
good fraction of the search results I click on seem to take me to other
domains and start a chain of re-directions.

So there's still something wrong with this PC. I run Spybot SD and it
finds a bunch of wierd entries in the hosts file, but it can't fix them
because the file properties of the hosts file. I fix that, and then
nuke the hosts file. Javatester.org now works properly (does not crash
FF).

The malware that was installed on this PC went by the name of "Windows
Enterprise Suite" or WES. What a pain in the ass.

I would suggest that MBAM examine the permissions of the hosts file and
at least report a suspicous setting to the user, if not change it to
what it should be. Maybe go further and test for any re-directions for
google.com as part of the system analysis.

Message has been deleted

Virus Guy

unread,
Dec 1, 2009, 6:31:05 PM12/1/09
to
ASCII wrote:

> > I would suggest that MBAM examine the permissions of the hosts

> > file (...) Maybe go further and test for any re-directions for


> > google.com as part of the system analysis.
>

> Doesn't HJT address these concerns?

What's wrong with MBAM adding a few useful features to make it an even
better simple-to-use malware detector and remover/fixer?

Wierd permissions for the hosts file, or any IP address other than
127.0.0.1 in a hosts file should be a red flag.

FromTheRafters

unread,
Dec 1, 2009, 9:10:10 PM12/1/09
to

"Virus Guy" <Vi...@Guy.com> wrote in message
news:4B15A739...@Guy.com...

Now *that's* funny.


Message has been deleted

Dustin Cook

unread,
Dec 7, 2009, 4:41:52 PM12/7/09
to
Virus Guy <Vi...@Guy.com> wrote in news:4B152FE3...@Guy.com:

> I downloaded MBAM and it found 4 files - all of them being .db files in
> a twain_32 directory (I don't think they were executable files). I
> submitted the files to VT and only one of the files was flagged by one
> AV package (Mcaffee) as being a zbot CC file.

If MBAM flagged on them, they could very well be executables. Our engine
ignores files which lack an MZ header; unless! the hueristics tagged it.
Filenames would greatly help me to determine which it was. A log would be
nice too. :)



> MBAM found over 700 registry entries that it wanted to nuke, and
> detected nothing suspicious running in memory.

That doesn't sound good.. Have you checked for rootkits which may be
evading our program?



> The malware that was installed on this PC went by the name of "Windows
> Enterprise Suite" or WES. What a pain in the ass.

I know atleast one variant of that does disable our scanner... I observed
the disabling by deleting our executable tho. :(



> I would suggest that MBAM examine the permissions of the hosts file and
> at least report a suspicous setting to the user, if not change it to
> what it should be. Maybe go further and test for any re-directions for
> google.com as part of the system analysis.

This is something that is on the list of things we will eventually be
doing.

--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Dustin Cook

unread,
Dec 7, 2009, 4:44:26 PM12/7/09
to
ASCII <m...@privacy.net> wrote in news:4b1622f3.746734@EBCDIC:

> Virus Guy wrote:
>>ASCII wrote:
>>
>>> > I would suggest that MBAM examine the permissions of the hosts
>>> > file (...) Maybe go further and test for any re-directions for
>>> > google.com as part of the system analysis.
>>>
>>> Doesn't HJT address these concerns?
>>
>>What's wrong with MBAM adding a few useful features to make it an even
>>better simple-to-use malware detector and remover/fixer?
>

> Depends on what features are considered useful, and to whom.
> If they get too ambitious, next thing it will be another hunk of bloat
> ware, that doesn't always address whatever concerns someone has, yet
> carries a lot of useless ballast.

>
>>Wierd permissions for the hosts file, or any IP address other than
>>127.0.0.1 in a hosts file should be a red flag.
>

> HJT doesn't alter the hosts file but displays its changes and offers
> to open it in notepad for any corrections deemed necessary, whereas
> the person who registers and pays to upgrade MBAM for 'professional'
> level assistance, will receive a replacement hosts file full of extra
> addys, with some inserted for what seems to be petty political
> reasons.
>

What are you talking about? We don't touch the hosts file, either in the
free version or the pro version. Do you have a copy of this hosts file
your talking about? I just installed the v1.42 version available to all,
and the developers version that we run... we're not creating/replacing or
doing anything with/too the hosts. file.

So what sites is it were blocking for ... petty? political reasons? (We
don't have politics in malwarebytes...)

0 new messages