The spy.zbot that spydoctor cannot keep down.

[arthur.mctavish]

Hi,

Many thanks in advance for any advice.  I'm new but learning about malware killing.

I think there is some malware on our PC (may be plugged into with IE) which spydoctor cannot find:  I've gone through the following loop a few times:
   1) spydoctor does find trojan-syp.zbot.a.  
   2) spydoctor claims to fix this successfully.  
   3) I start IE again
   4) run spydoctor.  Return to 1) and start again.

koobface turned up one time.

I think this probably came in with a malware 'cluster-bomb' last Friday - perhaps todo with a rogue installation of VEOH TV, or ccleaner:
  - last Friday we were attacked by System Security 2009.  Cleaned that up with spydoctor, and found other malware (including trojan-syp.zbot.a).
  - using msconfig, I also found, disabled and deleted freddy57.exe and ld12.exe in startup

Many thanks again for your time
[/i]

[rodi]

Hi,

It may be a new rootkit or a trojan downloader that Spyware Doctor is unable to remove yet.
trojan-syp.zbot.a is a serious threat because it can send all captured information to a remote server.

Open Command shell (start->run and type cmd)
Type "netstat -a" (without quotation-marks)  
Check for any suspicious active connections.

Download GMER from http://www.gmer.net
It's a free rootkit removal tool. If it won't run just rename the installer to test.exe

You may also scan your PC with Rootkit revealer from Microsoft (doesn't work on Vista)
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Have you tried ComboFix? If not, then I think you should. It's free and quite effective.
Download from http://www.forospyware.com/sUBs/ComboFix.exe

Rename the installer to combo-fix.exe and follow the prompts.

Good luck
 

[arthur.mctavish]

Many thanks for that.

When using netstat -a, what would count as suspicious?  Maybe it will be clear to me when I run it tonight.

Is there any value in just switching all IE plugins off to see if that fixes the problem?  Is that
safe, or could I muck IE up?

Will Rootkit revealer work under XP?

bleepingcomputer.com advises caution with ComboFix.  I'm not that experienced yet.

Cheers

[rodi]

Before you use netstat -a command, close all programs that may established internet connection. I mean ICQ, MSN Messenger, online radio and etc. This will make the list of active connections smaller. See the "Foreign address" column.

For example if you open Google search page the you will see something like this in the Foreign address column: fx-in-f101.google.com:http
Most of the time it is obvious what program or service has established internet connection. If you find any unknown IP address or host names check them with http://who.is

Switching IE pluggins off won't solve your problem. And I think you won't muck up IE by doing this either. You have to remove all possible security threats from your computer.

Rootkit revealer works under XP. However, this tool doesn't remove anything, it just provides scan log. You may post your log here, we'll check it later. But don't forget to scan your PC with GMER at first.

If you don't want to use ComboFix then try MalwareBytes anti-malware.
http://www.2-spyware.com/review-malwarebytes-anti-malware.html

I don't know if you have anti-virus software, but it would be also good if you scan your computer with ESET NOD32 Antivirus. (Only if you don't have antivirus software, do not install two antivirus programs at the same time). That's because NOD32 detects infections that Spyware Doctor or MalwareBytes anti-malware are not designed to detect.
You may download a free 30 day trial (fully functional) from
http://www.2-viruses.com/eset-nod32-antivirus
or
http://www.eset.com/download/free_trial_download_int.php

[arthur.mctavish]

Thanks for such comprehensive advice.

Hmm.  I'm wondering whether I need to seriously consider a reformat & re-install.

I only had time to run MalwareBytes anti-malware.  I list the junk it found below (not pretty).  Just before that, spydoctor stopped working (wouldn't execute).  Presumably been targeted.

--------Stuff found by MalwareBytes:
 6 Reg Keys, 2 Reg values, 5 Reg data items, 3 Folders, 10 files

Backdoor.bot (registry key associated with explorer)
Malware.trace
Trojan.agent
Hijack.userinit
rogue.registrydefender
stolen.data
worm.koobface
(plus a couple of reg data items left over from Security Centre)

I'm no expert, but that don't sound good to me.

[rodi]

You are welcome  

Remove those infections with MalwareBytes. Unfortunately, this program doesn't provide more information about found malware, just generic names. Reformat would be the best choice if you don't have very important files or other data on your computer. Most of the time people do have important files and don't want to lose them.

[arthur.mctavish]

Think we're probably clean (although...)

  - Cleaned up with Malwarebytes
  - Spyware Doctor started working again - and the trojan it couldn't keep down before has vanished, BUT...

  - Tried spybot search & destroy.  It found two registery entries for 'win32.agent.pz'.  Hrumph.  
     == Could this just be debris from the infections that the others had fixed?
     == Worth doing anything else to be more sure?
                (stuff like gmer or hijackthis - or another 3 anti-spyware utilities)?

(If you suggest no action, no need to spend time replying)

Thanks again.

[rodi]

Scan your PC with GMER and then download CCleaner from http://www.ccleaner.com
CCleaner is a free program used mostly to fix registry and remove unnecessary files.