Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[ed boy]

I have a very persistent virus that has been on my computer for a while. I've tried a variety of tools, but none of them seem to work. I have tried the following programs:

-Sohpos
-Spybot search and destroy
-Malwarebytes
-Microsoft security essentials

The only one that is able to detect it is Sophos, where it is listed in the quarantine list. In the quarantine list, its name is given as "Troj/ZbotMem-A". Its location is given as "memory" and it says that it requires me to clean it up manually, which I have been unsuccessful in doing.

The only effect that I have noticed is that some of the results of google searches are redirected to other places, but some googling of the name reveals that it has the potential to be a lot nastier.

What should I do to get rid of it?

[Sowelu]

Make sure you're running in safe mode, or better yet from a recovery CD, when you use those tools.  The absolute best thing you can do is booting off a different drive (re-mount your hard drive as a D drive or something) and run the virus scanners from there.  As long as you boot your own OS, the virus is already in memory and keeping your tools from nuking it.

[white_darkness]

So that's a memory detection of a zbot variant that's latched onto another process.  Manual removal means you're going to have to track down the pertinent files and registry entries it created and remove them yourself.

This seems like a fairly decent write up for manual removal here.

There's always one solution that would guarantee complete removal.  Format the hard drive and reinstall windows.

[zilpin]

All those tools are only useful in getting your computer working enough to copy data off of it.

Once a system is root compromised, you can never trust that you have cleaned it.
This is especially true in Windows, which gives malicious software more places to hide than you ever knew existed.  E.g. Alternate Data Streams.

Copy your data to an external drive, format all drives completely, reinstall your OS and work from there.
From that point on, whatever external drive you attached should be considered «Compromised/Dangerous».  Before plugging it in anywhere, be sure Auto-Play is disabled.  NEVER run any executable files on it.  Do a complete virus scan (i.e. all files, heuristic) of it from a clean computer.  Even then, don't trust it.  Get your data off to another drive, format the Compromised drive (be sure to get it's boot sector), and remember that something may be hiding in files on your backup, like Anthrax in the desert.

If you are unwilling to do that, don't complain when you find out your computer is part of a Botnet.
Or, go with a less vulnerable operating system next time (not always an option, esp. on shared computers).

Cheers, and good luck.

[Sowelu]

Or, go with a less vulnerable operating system next time (not always an option, esp. on shared computers).

Spoken like someone who's never had his Linux box rooted by a zero-day.

But yeah.  If you take the reformatting route...  When you evacuate your data, make sure it's DATA.  Not programs, even if finding the disks is annoying.  Reinstall everything and I mean everything.  Sorry.

[Strife26]

Ouch man. Yeah, you're probably going to have to go with the nuclear option. Sorry.

[Angel Of Death]

Try AVG free as a last resort.

[Fayrik]

What's this virus doing right now? Are you getting any symptoms from it?

I'd personally start spying on the virus to try and work out what it's trying to do.
Visual Studio, Wireshark... Or, if you fancy a less time intensive way, just use Comodo Firewall to check it's not opening network connections.

At any rate, it isn't going to be as critical as Zilpin makes it out to be.

Quick question on the matter though. Does Sohpos pick it up in Safe Mode?

[Lord Shonus]

Erase all temp files on your computer. These things often hide in there.

[white_darkness]

It's a Zbot infection.  He's part of one of the world's largest botnets.

[Neonivek]

One thing that I suggest if you even get a HINT that your computer has or is getting a virus is to immediately shut down your internet.

Almost all of the worst viruses now adays that I experienced are downloaded or download more if itself. I stopped really bad situations like that twice.

For example if acrobat or a PDF file reader program turns on and there was no indication you were trying to open one... Internet off!
If a security program opens that you don't own or that isn't on. Internet off!

You would be surprised how managable some viruses are without access to the internet.

[ed boy]

I disconnected from the internet, and ran a recovery disk (F-secure). It found nothing.
I than booted it in safe mode, and ran all the antivirus tools. They did not do the job. Interestingly, I could not use sohpos antivirus, but I could use sophos anti-rootkit.

What's this virus doing right now? Are you getting any symptoms from it?

Quick question on the matter though. Does Sohpos pick it up in Safe Mode?

Currently, the only effects I've noticed are that, when I do a google search and try to follow one of the links, it sometimes redirects me to another website, usually a dodgy one.

When I try to run sophos antivirus in safe mode, I cannot. When the window opens, all the options are grayed out. It does not list the virus in quarantine is safe mode, though.

[Sowelu]

Well, it's quite possible that your safe mode is compromised, which is why I say you should boot from another drive...

[Starver]

Among my arsenal of tools, one that I didn't see mentioned (I use a number of those that were) is Super Anti-Spyware.

There's some very good stand-alone version (single .exe, .com and other versions, which can, if computer booted as Safe Mode With Networking, be told to update its base detection, although you need to do that each time you restart it, but it's designed to get around viruses saying "Oooh, a malware programme... I'll stop you running, my pretty...") as well as the more standard installations.

You have to be a bit careful (as with a lot of tools) that you're getting the genuine one, I've seen pre-infected anti-malware programs, as well as complete rip-offs of them which is basically a dummy front busily doing its own trojanic thing in the background even while you're trying to get rid of problems.

But, aside from mentioning that package (and YMMV as to whether you find it useful), I'll add that if you can possibly stand to reinstall from scratch (get all your photos and stuff off first, and you may have to work out what to do with the likes of iTunes libraries and other repositories of that kind, although at least that's one thing Steam is good for), that's often better.  Of course, you immediately then need to make sure you're reloading all your security patches (assuming you hadn't forgotten before), AV (assuming its absence wasn't the cause of of your predicament) and reconfiguring half a dozen other things.  Depending on what you're attacked by, you probably want (on your cleaned machine, or even before that from a different machine that you consider safe[1]) to go through your various on-line accounts and change the passwords.  Assuming that you hadn't already forgotten the passwords and were letting your browser auto-login every time, which could be a problem if the resource doesn't cater for forgotten passwords in a way useful to you (e.g. registered to an expired email address).


Oh, so much more advice to give.


[1] I've had people with suspected malware change their passwords on the machine still infected by malware.  If it was sending off private info like that in the first place, it's almost certainly sending off the new info as well...

[Starver]

Well, it's quite possible that your safe mode is compromised, which is why I say you should boot from another drive...

You are right that it's possible, although generally Safe Mode logging in as Administrator[1] tends to by-pass the stuff that heavily rootkits the regular User account.

Big problem with booting from another resource is that you may not have access to look at/change certain account-locked areas of the disk.  There are recovery disks which get around that (showing how poor MS security is, but then again I've done similar with Linux as well), but its amazing how that little bit of paranoia you had beforehand (not extensive enough to prevent the problem occurring) can come back to haunt you when you're trying to get in and resolve something that crept past your defences.


[1] Because of Microsoft's security model, it almost certainly has a null password, but what yer gonna do, eh?