Possible false positive.

[Darkblade76]

So I just installed your new update and scanned my computer afterwards. I came to a surprise that S&D popped up saying that I may need to reboot to clean a possible "infection". After the scan, Spybot detected Win32.ZBot.rtk which surprisingly is included with the new update. I then scanned my computer with MBAM and Avast! and none of them detected anything. Also note that I haven't downloaded anything besides this browser called PaleMoon and I use Sandboxie for my browser needs.

My operating system is: Win. Vista SP 2
Browser: FF 3.6.2/IE 8/Google Chrome Beta
Version: S&D 1.6.2 latest update(today)
FP occurred after update then scan.

Code:

--- Report generated: 2010-03-24 18:06 ---

Win32.ZBot.rtk: [SBI $BF624719]  File (File, nothing done)
  C:\Windows\System32\msinfo32.exeuineIntel.dl
  Properties.size=0
  Properties.md5=D41D8CD98F00B204E9800998ECF8427E

DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)
  


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-14 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-07-28 advcheck.dll (1.6.3.17)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi (*)
2010-03-23 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-03-23 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-03-23 Includes\HijackersC.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-03-23 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-03-02 Includes\Malware.sbi (*)
2010-03-23 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-03-23 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-03-23 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-03-02 Includes\Spyware.sbi (*)
2010-03-23 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi (*)
2010-03-16 Includes\TrojansC-02.sbi (*)
2010-03-23 Includes\TrojansC-03.sbi (*)
2010-03-23 Includes\TrojansC-04.sbi (*)
2010-03-23 Includes\TrojansC-05.sbi (*)
2010-03-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Edit: Scanned with SAS and still no infection reported nor rootkit.

[dhdiaz]

Good morning, Updated SpyBot This morning, 3 machines, 2 Vista and 1 XP.
The XP showed no problem.
The two Vista showed Win32.Zbot.rkt. I have CCleaner, cleaned, Avast Internet Security, running.

[thundernoggin]

Vista Home Premium 32 here. Has turned up two days in a row for me. Cleaned yesterday and rebooted and it was gone. Reappeared today, reboot to remove files, Spybot eventually stops working, reboot and trying again to remove. Avast Pro, Asquared Free, and Defender turn up nothing including safe mode scan.

Win32.ZBot.rtk: [SBI $BF624719]
C:\Windows\System32\msinfo32.exeleshooter.ex

Noticed that its .exeleshooter.ex this time but was something different last two times.

[Yodama]

hello,

the detection of these files are not exactly as intended but the files are highly suspicious.
The files in question are hidden using rootkit functions.

Please do the following:

• get the last spybot check files containing the scan result in question (info)
• create report files with rootalyzer and gmer
• send all files to detections@spybot.info with a reference to this thread

[dhdiaz]

Good morning,
Ran Spybot again today. Same message, Win32.Zbot.rtk...TrojansC-05.
Remove using Spybot. Spybot says successful. Plus sign next to green checkmark expaned says (9SBI $BF624719) File, C:\Windows\System32\msinfo32.exee.dll.DLLllx

This shows up on two machines one Vista Home 32 and one Vista Ultimate 64. It does not show up on a computer using XP Pro 32. Home ntework using Avast Internet Security.

[dhdiaz]

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-11-04 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi
2010-03-23 Includes\AdwareC.sbi
2010-01-25 Includes\Cookies.sbi
2009-11-03 Includes\Dialer.sbi
2010-03-23 Includes\DialerC.sbi
2010-01-25 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2010-03-23 Includes\HijackersC.sbi
2010-01-20 Includes\Keyloggers.sbi
2010-03-23 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2010-03-02 Includes\Malware.sbi
2010-03-23 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2010-03-23 Includes\PUPSC.sbi
2010-01-25 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2010-03-23 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2010-03-02 Includes\Spyware.sbi
2010-03-23 Includes\SpywareC.sbi
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi
2010-03-16 Includes\TrojansC-02.sbi
2010-03-23 Includes\TrojansC-03.sbi
2010-03-23 Includes\TrojansC-04.sbi
2010-03-23 Includes\TrojansC-05.sbi
2010-03-16 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows Vista (Build: 6002) Service Pack 2 (6.0.6002)


--- Startup entries list ---
Located: HK_LM:Run, Adobe ARM
command: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
file: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
size: 948672
MD5: 73BB442A717B9BB0097C243374C14A3E

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 35760
MD5: 466CE40EAA865752F4930A472563E4E1

Located: HK_LM:Run, avast5
command: C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
file: C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
size: 2769336
MD5: 4168B08FA453C8B9314CDDA3824F6311

Located: HK_LM:Run, CLMLServer for HP TouchSmart
command: "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
file: c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
size: 189736
MD5: 3213677E9B81F7644B6C143BC8580D5C

Located: HK_LM:Run, DVDAgent
command: "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
file: C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
size: 1148200
MD5: 4D9AB9B3B1684817704238B9F9E72830

Located: HK_LM:Run, GrooveMonitor
command: "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
file: C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe
size: 31072
MD5: 644795F6985C740F5E36E9336B837D0B

Located: HK_LM:Run, HP Health Check Scheduler
command: "c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe"
file: c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
size: 75008
MD5: AE37F6508716D2DD6122744C46686BEC

Located: HK_LM:Run, HP Software Update
command: "c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe"
file: c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
size: 54840
MD5: 21293443961A4E2597453EE7A9347F22

Located: HK_LM:Run, hpsysdrv
command: c:\hp\support\hpsysdrv.exe
file: c:\hp\support\hpsysdrv.exe
size: 65536
MD5: 9A4322EE420D6FACD4D4B1FF6CB856B1

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
file: C:\Program Files (x86)\QuickTime\QTTask.exe
size: 417792
MD5: 55D7A219AD8D0DB8980528944152A6FD

Located: HK_LM:Run, StartCCC
command: "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
file: c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
size: 61440
MD5: 2659F9B422673A98D5629FA3294F5DF3

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
file: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
size: 246504
MD5: E0D6538B62C79FCBF0B27F95FAF3208B

Located: HK_LM:Run, TSMAgent
command: "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
file: c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
size: 1152296
MD5: 99DFEF65C3C54DD562711BFF1CA76B97

Located: HK_LM:RunOnce, Spybot - Search & Destroy
command: "C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
file: C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89

Located: HK_LM:RunOnce, SpybotDeletingA1565
command: command.com /c del "C:\Windows\System32\msinfo32.exee.dll.DLLllx"
file: command.com /c del "C:\Windows\System32\msinfo32.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:RunOnce, SpybotDeletingC8618
command: cmd.exe /c del "C:\Windows\System32\msinfo32.exee.dll.DLLllx"
file: C:\Windows\system32\cmd.exe
size: 318976
MD5: 74F26FC01B180D4A99A168ED69C30A53

Located: HK_CU:Run, ehTray.exe
where: S-1-5-21-475954208-3265769801-1496305681-1000...
command: C:\Windows\ehome\ehTray.exe
file: C:\Windows\ehome\ehTray.exe
size: 152064
MD5: 02984A1F18F563947EB167ADF63B2EAC

Located: HK_CU:Run, Sidebar
where: S-1-5-21-475954208-3265769801-1496305681-1000...
command: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
file: C:\Program Files\Windows Sidebar\sidebar.exe
size: 1555968
MD5: 9C5A0F070196B601D629F5BA9AA921F8

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-475954208-3265769801-1496305681-1000...
command: C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 12/21/2009 7:27:44 PM
Date (last access): 1/18/2010 10:12:46 PM
Date (last write): 12/21/2009 7:27:44 PM
Filesize: 75200
Attributes: archive
MD5: DC1E56092CC57FB4605B088D3DCCBF7A
CRC32: FF82C62B
Version: 9.3.0.148

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~2\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 11/4/2009 10:06:58 AM
Date (last access): 11/4/2009 10:06:58 AM
Date (last write): 1/26/2009 4:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files (x86)\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 2/12/2009 4:19:32 PM
Date (last access): 11/4/2009 11:56:58 AM
Date (last write): 2/12/2009 4:19:32 PM
Filesize: 2217848
Attributes: archive
MD5: A6B5A41C0ED007AB6C43CAD899E533D8
CRC32: BA078F79
Version: 12.0.6421.1000

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live ID Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live ID Sign-in Helper
Path: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 3/30/2009 5:31:54 PM
Date (last access): 11/4/2009 11:31:04 PM
Date (last write): 3/30/2009 5:31:54 PM
Filesize: 403824
Attributes: archive
MD5: 9144D1A2D7AC4CE489C863E11FC5E478
CRC32: 55343708
Version: 6.500.3146.0

{d2ce3e00-f94a-4740-988e-03dc2f38c34f} (Microsoft Live Search Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Microsoft Live Search Toolbar Helper
Path: c:\Program Files (x86)\MSN\Toolbar\3.0.0541.0\
Long name: msneshellx.dll
Short name: MSNESH~1.DLL
Date (created): 8/28/2008 10:09:08 PM
Date (last access): 9/24/2009 3:49:04 PM
Date (last write): 8/28/2008 10:09:08 PM
Filesize: 86032
Attributes: archive
MD5: C12121B120411F2C9A457AF8339AB6C6
CRC32: 0AC5FA79
Version: 3.0.541.0

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 1/11/2010 9:42:48 PM
Date (last access): 1/27/2010 11:21:56 AM
Date (last write): 1/11/2010 9:42:48 PM
Filesize: 41760
Attributes: archive
MD5: 883EF2DD3C9F68691CE02DAAC7267D41
CRC32: C0FCD56C
Version: 6.0.180.7

{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: EpsonToolBandKicker Class
Path: C:\Program Files (x86)\EPSON\EPSON Web-To-Page\
Long name: EPSON Web-To-Page.dll
Short name: EPSONW~1.DLL
Date (created): 11/3/2009 12:22:22 PM
Date (last access): 11/3/2009 12:22:22 PM
Date (last write): 2/22/2005 2:50:34 PM
Filesize: 368640
Attributes: archive
MD5: 01319CF4030B3740BA8261E7024ACAD1
CRC32: D484DB79
Version: 1.1.0.0



--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_18
Installer:
Codebase: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/9/2009 9:22:10 AM
Date (last access): 12/17/2073 6:14:56 PM
Date (last write): 12/17/2009 6:14:04 PM
Filesize: 108320
Attributes: archive
MD5: AD9E4059789D2389B746C58421194722
CRC32: 64C51ACB
Version: 6.0.180.7

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/9/2009 9:22:10 AM
Date (last access): 12/17/2073 6:14:56 PM
Date (last write): 12/17/2009 6:14:04 PM
Filesize: 108320
Attributes: archive
MD5: AD9E4059789D2389B746C58421194722
CRC32: 64C51ACB
Version: 6.0.180.7

{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_18
Installer:
Codebase: http://java.sun.com/update/1.6.0/jin...ndows-i586.cab
Path: C:\Program Files (x86)\Java\jre6\bin\
Long name: jp2iexp.dll
Short name:
Date (created): 11/9/2009 9:22:10 AM
Date (last access): 12/17/2073 6:14:56 PM
Date (last write): 12/17/2009 6:14:04 PM
Filesize: 108320
Attributes: archive
MD5: AD9E4059789D2389B746C58421194722
CRC32: 64C51ACB
Version: 6.0.180.7

{E2883E8F-472F-4FB0-9522-AC9BF37916A7} ()
DPF name:
CLSID name:
Installer: C:\Windows\Downloaded Program Files\gp.inf
Codebase: http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab



--- Process list ---
PID: 0 ( 0) [System]
PID: 3228 (3268) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 580 (3532) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
size: 189736
MD5: 3213677E9B81F7644B6C143BC8580D5C
PID: 3612 (3532) C:\hp\support\hpsysdrv.exe
size: 65536
MD5: 9A4322EE420D6FACD4D4B1FF6CB856B1
PID: 648 (3532) C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
size: 54840
MD5: 21293443961A4E2597453EE7A9347F22
PID: 2700 (3532) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
size: 1152296
MD5: 99DFEF65C3C54DD562711BFF1CA76B97
PID: 3148 (3532) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
size: 1148200
MD5: 4D9AB9B3B1684817704238B9F9E72830
PID: 2352 (3532) C:\Program Files\Alwil Software\Avast5\AvastUI.exe
size: 2769336
MD5: 4168B08FA453C8B9314CDDA3824F6311
PID: 4784 ( 992) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 638216
MD5: 88BD42DAE7CFFEB256CA7145A15E4843
PID: 4064 (4784) C:\Program Files (x86)\Internet Explorer\iexplore.exe
size: 638216
MD5: 88BD42DAE7CFFEB256CA7145A15E4843
PID: 4892 (3268) C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
PID: 536 ( 4) smss.exe
PID: 668 ( 656) csrss.exe
PID: 724 ( 656) wininit.exe
size: 96768
PID: 744 ( 732) csrss.exe
PID: 780 ( 724) services.exe
size: 279552
PID: 796 ( 724) lsass.exe
PID: 804 ( 724) lsm.exe
size: 229888
PID: 884 ( 732) winlogon.exe
size: 314368
PID: 992 ( 780) svchost.exe
size: 21504
PID: 236 ( 780) svchost.exe
size: 21504
PID: 372 ( 780) svchost.exe
size: 21504
PID: 772 ( 780) Ati2evxx.exe
PID: 860 ( 780) svchost.exe
size: 21504
PID: 1060 ( 780) svchost.exe
size: 21504
PID: 1080 ( 780) svchost.exe
size: 21504
PID: 1156 ( 860) audiodg.exe
size: 88576
PID: 1184 ( 780) svchost.exe
size: 21504
PID: 1204 ( 780) SLsvc.exe
PID: 1248 ( 780) svchost.exe
size: 21504
PID: 1436 ( 780) svchost.exe
size: 21504
PID: 1616 ( 780) AvastSvc.exe
PID: 1636 ( 780) afwServ.exe
PID: 1736 ( 772) Ati2evxx.exe
PID: 1980 ( 780) spoolsv.exe
PID: 2004 ( 780) svchost.exe
size: 21504
PID: 2140 ( 780) svchost.exe
size: 21504
PID: 2168 ( 780) svchost.exe
size: 21504
PID: 2280 ( 780) LSSrvc.exe
PID: 2356 ( 780) svchost.exe
size: 21504
PID: 2416 ( 780) svchost.exe
size: 21504
PID: 2456 ( 780) svchost.exe
size: 21504
PID: 2484 ( 780) WLIDSVC.EXE
PID: 2528 ( 780) SearchIndexer.exe
size: 441344
PID: 2632 ( 780) SDWinSec.exe
size: 1153368
MD5: 794D4B48DFB6E999537C7C3947863463
PID: 2808 (1060) WUDFHost.exe
PID: 988 (2484) WLIDSVCM.EXE
PID: 880 (1080) taskeng.exe
size: 169984
PID: 3212 (1060) C:\Windows\System32\dwm.exe
PID: 3248 (1080) C:\Windows\System32\taskeng.exe
size: 169984
MD5: E5BBFC283D6F5D69B41E464676361020
PID: 3268 (3192) C:\Windows\explorer.exe
size: 3079168
MD5: 6B08E54A451B3F95E4109DBA7E594270
PID: 3036 ( 780) HPHC_Service.exe
PID: 3540 ( 780) svchost.exe
size: 21504
PID: 2784 (3268) C:\Program Files\Windows Defender\MSASCui.exe
size: 1584184
MD5: 48DD40677817CE1053C2315F5A87E0D3
PID: 3132 (3268) C:\Program Files\Java\jre6\bin\jusched.exe
size: 172032
MD5: 52A3DF9E3C34B1AD9E68141B52B5C2F0
PID: 3732 (3268) C:\Windows\WindowsMobile\wmdc.exe
size: 660360
MD5: 233A10D4B3F6897899112E4EC60F1906
PID: 2904 (3268) C:\Program Files\Windows Sidebar\sidebar.exe
size: 1555968
MD5: 9C5A0F070196B601D629F5BA9AA921F8
PID: 2872 (3268) C:\Windows\ehome\ehtray.exe
size: 152064
MD5: 02984A1F18F563947EB167ADF63B2EAC
PID: 3876 ( 992) C:\Windows\ehome\ehmsas.exe
size: 47104
MD5: F2C56E2FB83F06831F9565E77C48078D
PID: 3140 ( 780) ehsched.exe
PID: 2940 ( 780) ehrecvr.exe
PID: 3952 (3268) C:\Program Files\Windows Media Player\wmpnscfg.exe
size: 239104
MD5: B6A7E7F43234BFA6A8E6CC4110CB9448
PID: 3448 ( 780) wmpnetwk.exe
PID: 4924 (3872) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
size: 49152
MD5: 33C014C1709F7222CEFF61B780EDC967
PID: 5004 (4924) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
size: 49152
MD5: BA7D56C1F3DD385EE58ADDA14C6FFB54


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/26/2010 9:49:23 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://my.yahoo.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\Windows\SysWOW64\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cndt
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 3: MSAFD Tcpip [TCP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 4: MSAFD Tcpip [UDP/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 5: MSAFD Tcpip [RAW/IPv6]
GUID: {F9EAB0C0-26D4-11D0-BBBF-00AA006C34E4}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IPv6 protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 6: RSVP TCPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 7: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 8: RSVP UDPv6 Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Namespace Provider 0: @%SystemRoot%\system32\nlasvc.dll,-1000
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\system32\NLAapi.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 1: E-mail Naming Shim Provider
GUID: {964ACBA2-B2BC-40EB-8C6A-A6DB40161CAE}
Filename:

Namespace Provider 2: PNRP Cloud Namespace Provider
GUID: {03FE89CE-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 3: PNRP Name Namespace Provider
GUID: {03FE89CD-766D-4976-B9C1-BB9BC42C7B4D}
Filename:

Namespace Provider 4: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename:
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 5: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

[thundernoggin]

Emailed you what I had. It's still turning up. GMER kept crashing on me both regular boot and safe mode. Rootanalyzer worked and I attached report.

[petertfm]

I have confirmed it is spybot is detecting win32.zbot.rtk only after installing Avast Pro(v5.0.462)
I was worried and reverted to a backup just after a total reinstall It had avast 4 and I updated it to v5 and installed spybot scanned and came back with zbot.rtk. so I did a clean install got all my updates and used spybot scanned at least 3 times with no detection of zbot did a full backup to my windows home server. scanned both server and pc again with no detection. installed a fresh download of avast pro v5.0.462 updated and restated.
scanned again and caught zbot.rtk

I am sure it is ether legit or avast is causing spybot to detect a false positive

I use avast home server on my windows home server and spybot has not detected anything

can someone please help I am afraid to use any personal log ins.

[petertfm]

Update:

I uninstalled avast pro 5, restarted and spybot did not find anything.
My guess is it's a false positive.

I am running
vista home premium sp2 32bit

It would still be nice to know for sure?

[Yodama]

I can not confirm a false positive.

I received thundernoggin files and they are still getting checked.

GMER may not run properly on a 64bit OS but should work on a 32bit Vista.
It if does not run on a 32bit OS it is very likely infected.

Please try Rootrepeal
this should be able to find ZBot based rootkit and should also be able to extract the files.
If you do please send them to detections@spybot.info with a reference to this thread.