Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.zbot.gen found using "Trend Micro Titanium Internet Security 2011"; Remote access to home PC media files via "ORB, media anywhere" application


  • Please log in to reply
6 replies to this topic

#1 AndyMandy

AndyMandy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 25 February 2011 - 01:28 PM

I recently installed the free version of a program called "Orb" which is described as a media anywhere program that basically makes any media files on a home PC accessible (via remote access) while you are away from home (username and password protected). I felt as though this was safe enough given the password protection so I installed it on my computer and was able to access my media files away from home (it was pretty cool). (This is where I downloaded Orb, https://mycast.orb.com/orb/html/login.html. The bottom of the page provides description of sevices and tech notes)

A couple days after installing Orb I wanted to add my music library to my media database. While uploading these files I noticed my current antivirus software Trend Micro Titanium Internet Security 2011 (TMTIS 2011) was warning me that that a program on my computer was displaying trojan like behavior (I had my internet traffic security settings in TMTIS 2011 on "high"). I *vaguely* recall the reason was because Orb was trying to "open network connections". I did a google search and found that other people had this same trouble with Orb and other antivirus software and that you could just give Orb privelages in order to allow it to operate. I tried to allow Orb to operate in my TMTIS 2011 but found this did not stop the warnings so I, foolishly I admit, turned TMTIS 2011 off, left the house for the day and enjoyed some music at my work. I figured I would find some other antivirus software that would work alongside Orb later when I got home.

When I got back home I went accessed my online bank, bank of america, and after logging in received a very obvious and troubling pop up (described exactly here, http://www.computing.net/answers/security/bank-of-america-authorization-required-virus/32495.html). I then remembered that TMTIS 2011 had been deactivated so turned it back on. TMTIS 2011 immediately found 2 "viruses" which were described as "trojan.zbot.gen" and something like 92 "web threats". I ran TMTIS 2011 again and it the amount of "viruses" stayed at 2 but the amount of "web threats" changed to 107. I have some knowledge about virus protection and removal so I immediately downloaded Malwarebytes from the internet and disconnected my computer from the internet in a hope to minimize the damage. Before disconecting from the internet TMTIS 2011 warned that it had successfully stopped a program from tranferring my email address over the internet.

I apologize but the accuracy of my description is low because I am not at my computer right now and I didn't screen capture anything or write down the exact warnings. Stuff in quotes is what I remember to the best of my knowledge.

As of now Malwarebytes found the 2 virus (I assume the trojan.zbot.gen) and said that it removed them. I ran Malwarebytes again and then left the house for the day and am sending this from my work. I don't know if Malwarebytes has/will find them again.

First of all I would like to know what the best course of action is to be sure that the trojan is completely removed from my computer.

Next, is there anyway to know if the personal information on my computer has been compromised (TMTIS 2011 was off for about 8-12 hours)? The only thing saved in Internet Explorer are my usernames on facebook and gmail (which tend to be email addresses). No web application I use saves passwords. I use my credit card to buy stuff online, could my bank info by compromised?

Finally, is this Orb program legit? Is it possible it is the reason I got a trojan or was Orb? Or did I get a trojan just because I was stupid and deactivated my antivirus? I don't think of using Orb as being the same thing as file sharing but I would like some advice on whether this program can be trusted (there website swears up and down that they are legit but when it comes down to it they made the website).

I will update my post after I get home and see what Malwarebytes has found and what TMTIS 2011 finds. But I probably won't connect my home computer to the internet until I'm sure I have removed everything. I really appreciate the help from those of you in this collective, you guys helped me about a year or so ago with a virus and I'm sorry to be knocking on your door again.

Edited by hamluis, 25 February 2011 - 01:35 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 AndyMandy

AndyMandy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 26 February 2011 - 06:34 PM

Update: I have checked with Malwarebytes and TMTIS 2011 and neither programs found anything. I connected to the internet shortly and tried to navigate some pages but it was really sluggish and I'm pretty sure something is still up so I disconnected it again. I'm now awaiting any replys for help, thanks.

Oh and I also uninstalled Orb before connecting to the internet

Running XP as well

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 26 February 2011 - 11:37 PM

Hello, the first thing is about the zbot this is a backdoor infection.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


To clean the next step is..

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 AndyMandy

AndyMandy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 27 February 2011 - 07:36 PM

Thanks for the reply. I agree that I should simply reformat but I wasn't sure this was the best option. For some reason I was under the impression that this type of infection could "survive" reformating.
So to recap I am going to reformat and I appreciate your expertise. Thank you for your time.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 PM

Posted 27 February 2011 - 07:50 PM

Hello,Not an unwise decision to make. Some injectors and MBR Rootkits may do that but not this one.

Caution: If you are considering backing up data and reformatting, keep in mind, with a Virut infection, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

You are welcome :thumbup2:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 AndyMandy

AndyMandy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 28 February 2011 - 09:51 AM

The more I read about this type of infection, the more I hate my life...

A couple follow up questions if you can still offer help.

First of all, I accessed the internet via an ethernet directly into the router and my roommate does the same into the same router (and he has a recent Macbook Pro). Is it possible the infection could have traveled to his computer?

Second, I was not fully aware of the ability/nature of this infection before and I attached my ipod to the computer after the infection. I have disk use enabled on the ipod and I connected it to the computer because I had saved some help documents from this forum on a clean computer at a friends house. I then connected the ipod to the computer and moved the documents from the ipod to the computer. I did not move anything from the computer to the ipod. Could my ipod be infected from simply connecting to the infected computer? Other than enabling disk use (via itunes) my ipod is factory settings, I have not used any programs other than itunes to "hack" it or anything.

Finally my plan is to get a new hard drive to back up my media files while avoiding any of the extensions you've listed. Can you provide any links/reading about how to back up media (avi and music files) via cds/dvds (I have no experience with this). And is there anything I can do with the new, clean hard drive before connecting it to the infected computer to increase the security of the new hard drive?

Again, thanks for the help.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:32 PM

Posted 28 February 2011 - 07:55 PM

Is it possible the infection could have traveled to his computer?

Yes that's always a possibility so that computer showed by scanned with anti-virus and anti-malware tools.

Could my ipod be infected from simply connecting to the infected computer?

Removable media is a common infection vector. I don't use an ipod but you may want to read these articles.
Infected iPods a threat to corporate networks
How can a Windows virus end up on an iPod?
Malware Targeting iPhones Can Also Infect iPads

Edited by quietman7, 28 February 2011 - 07:55 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users