Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.zbot


  • Please log in to reply
8 replies to this topic

#1 tlinstrom

tlinstrom

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 07 January 2015 - 06:08 PM

I am working on my cousins computer.  Its a 7 year old HP Pavilion, with Windows XP.  He was complaining of the system running very slow.  I confirmed it was running slow, and there were some very odd processes running.  Suspecting a virus, I did the following via Team Viewer:

 

1. I installed Norton Security Suite (downloaded and applied all the updates) that Comcast provides. Performed a full scan and "fixed" all things that were reported.

2. I have applied all updates from MS, so it should have the latest service packs, patches, etc.  .

3. Installed and ran Malware bytes(downloaded and applied all the updates) .  "Fixed" everything it reported.

 

At this point, Norton started informing me that it blocked an attempt from Trojan.zbot Activity 15.

 

I ran the Norton Eraser, but the blocked attempt message reappeared.  When I Re-run a Norton quick scan, it does not report any threats(other than tracking cookies).  The system is now performing relatively fine other than this infection.

 

Thanks in advance.

 



BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:08 AM

Posted 07 January 2015 - 06:47 PM

You should scan for adware and use Eset Online Scanner to find and remove both adware and malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Hold down Control and click on this link to open ESET OnlineScan in a new window. (Eset can take more than an hour to run so plan accordingly)

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

EDIT: Run the below scan first if you haven' t started the other scans.

 

Please download Powelikscleaner (by ESET) and save it to your Desktop.

  • Double-click the 3.png to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.
  • Please let me know if poweliks is found and removed as shown in last image.

1.png
2.png


Edited by buddy215, 07 January 2015 - 07:54 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 AM

Posted 07 January 2015 - 09:35 PM

At this point, Norton started informing me that it blocked an attempt from Trojan.zbot Activity 15.

Trojan.Zbot Activity 15

Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description
This signature detects suspicious activity from system processes.

Additional Information
Malwares can inject malicious code into system process which later can communicate with CnC server to download additional malware or post stolen information.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 tlinstrom

tlinstrom
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 08 January 2015 - 06:01 PM

Thank you for the quick response.  Here are the logs.

 

1. AdwCleaner[SO].txt:

# AdwCleaner v4.107 - Report created 08/01/2015 at 11:29:06
# Updated 07/01/2015 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : HP_Administrator - CDC_GODDARD
# Running from : C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\B2LEZ47B\AdwCleaner[1].exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\AOL Toolbar
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
Folder Deleted : C:\Program Files\AOL Toolbar
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Viewpoint
Folder Deleted : C:\Program Files\Common Files\Software Update Utility
Folder Deleted : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL Toolbar
Folder Deleted : C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Conduit
File Deleted : C:\Documents and Settings\All Users\Desktop\eBay.lnk
File Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\eBay.lnk
File Deleted : C:\Documents and Settings\HP_Administrator\Favorites\eBay.lnk
File Deleted : C:\Documents and Settings\LogMeInRemoteUser\Favorites\eBay.lnk

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com
Key Deleted : HKCU\Software\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\superfish.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B27D9527-3762-4D71-963D-FB7A94FDD678}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BF0118D4-63FF-4138-9327-F3028FB1A578}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BF0118D4-63FF-4138-9327-F3028FB1A578}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{35468625-aaba-4d01-bd46-ef82136ebdbe}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\Tbccint_HKLM
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\firstsearch
Key Deleted : HKLM\SOFTWARE\MetaStream
Key Deleted : HKLM\SOFTWARE\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Yahoo! Companion

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Google Chrome v39.0.2171.95

[C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [7720 octets] - [08/01/2015 11:23:10]
AdwCleaner[S0].txt - [7367 octets] - [08/01/2015 11:29:06]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7427 octets] ##########

2. JRT.txt:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Microsoft Windows XP x86
Ran by HP_Administrator on Thu 01/08/2015 at 12:52:37.78
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Bar
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Search Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3EF64538-8B54-4573-B48F-4D34B0238AB2}

 

~~~ Files

Successfully deleted: [File] "C:\WINDOWS\wininit.ini"

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\hot deals"

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 01/08/2015 at 13:04:59.14
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

3. ESETScan.txt:

C:\AdwCleaner\Quarantine\C\Program Files\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\realestate-7f193003-2e02f9d6.zip a variant of Java/Exploit.CVE-2010-0840.AL trojan cleaned by deleting - quarantined
C:\hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/AdInstaller potentially unwanted application deleted - quarantined
D:\I386\APPS\APP02942\src\CompaqPresario_Spring06.exe a variant of Win32/AdInstaller potentially unwanted application deleted - quarantined
D:\I386\APPS\APP02942\src\HPPavillion_Spring06.exe a variant of Win32/AdInstaller potentially unwanted application deleted - quarantined

 

4. Powelikscleaner did not find the threat.

 

I think that is what was requested.  One note, the ESET OnlineScan tool might have been updated, because the instructions above were slightly different. 

 

Thanks again!!!!
 


Edited by tlinstrom, 08 January 2015 - 06:01 PM.


#5 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:08 AM

Posted 08 January 2015 - 07:09 PM

Is Norton still reporting Trojan.zbot Activity 15 activity? As Quietman emphasized....very risky and may need to move you to

a forum that can use tools not allowed in this forum. So, please, let me know.

 

 

Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#6 tlinstrom

tlinstrom
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 09 January 2015 - 12:53 AM

Well, I haven't seen the alert since yesterday, but I am embarrassed to say that as I read the history file tonight, it says Norton blocked an attempt of that virus, from an external computer.  So, I don't think the computer was infected with the virus, but merely stating that it blocked an external attempt.  The bubble that popped up wasn't as descriptive as the history log.

 

So, I think I am good.

 

I really appreciate the support, and will throw a few bucks at the paypal link.

 

Thanks again.



#7 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:08 AM

Posted 09 January 2015 - 05:26 AM

Okay...One of the reasons I asked to run the security check is this....C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\realestate-7f193003-2e02f9d6.zip a variant of Java/Exploit.CVE-2010-0840.AL trojan cleaned by deleting - quarantined

 

It's likely that there is some old Java programs that need uninstalling. Check the Add/ Remove list of programs.

There may be old Flash programs, too. Both are malware magnets and very often exploited. Remove old flash programs

using Uninstall Flash Player | Windows

 

You're welcome and happy surfin'...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#8 tlinstrom

tlinstrom
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 09 January 2015 - 12:05 PM

Much appreciated!

 

Hmmm, I thought there was a link to donate via PayPal.  I'm not finding it.


Edited by tlinstrom, 09 January 2015 - 12:09 PM.


#9 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:08 AM

Posted 09 January 2015 - 03:14 PM

It's all free....and feel free to participate and share your knowledge.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users