Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Zeus (zbot?) infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 IAmAUser

IAmAUser

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 24 March 2015 - 06:11 PM

Apologies if this is the wrong place to post.

 

A few nights ago on my gaming computer at home I had a Cox Browser Alert popup saying it thought a computer on the network might be infected with Zeus virus. First thing I did was check Cox's website from my phone to verify that Cox alert is actually a legit thing, I had never seen it before or knew it existed. After being reasonably convinced that it's a real thing I quickly downloaded Adwcleaner and Roguekiller, then disabled my connection. Adwcleaner found 2 files in /Temp called "Utils.dll" and "base.exe." I'm pretty sure Roguekiller found one registry item, but I can't look at the logs without the premium version. After cleaning and reboot I turned network back on and downloaded a few more removal tools: Malwarebytes, TDSSkiller, Rkill, Hitman, JRT, and Emsisoft emergency kit. None of them turned up anything. I have't seen any obvious symptons of an infection that I'm aware of.

 

Is it possible that I actually caught it before it fully deployed? I've never seen an infection with so few files or registry changes. Should I be changing website passwords or worrying about possible stolen info? Googling zbot has told me that it's mostly passed through email attachments or links, but I don't ever follow links or download attachments, and generally stay away from shady websites.

 

Win 7 w/ latest service pack

Avast free version

 

Thanks



BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:41 PM

Posted 25 March 2015 - 10:50 AM

Since it has survived those tools, we should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 IAmAUser

IAmAUser
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 25 March 2015 - 02:45 PM

I'll do that as soon as I get home from work, but can I ask why you say it survived those tools?

 

Thanks



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:41 PM

Posted 25 March 2015 - 03:10 PM

They are not strong enough or the type to get it ..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 IAmAUser

IAmAUser
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 02 April 2015 - 01:34 AM

They gave me a clean bill of health over here. Best I can tell is that it was just a false positive from Cox. I asked nasdaq a few questions about it and never really got answers, but I'll bet he's a pretty busy guy. Now I'm just wondering if you could tell me where I might post to find out more info about Cox browser alerts and see why it came up in the first place. Also should I (or can I even) mark both topics solved?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 02 April 2015 - 06:18 AM

Now I'm just wondering if you could tell me where I might post to find out more info about Cox browser alerts and see why it came up in the first place. Also should I (or can I even) mark both topics solved?

Then you should have made that clear in your initial comments and posted this topic in General Security since you're not infected to avoid confusion.

Cox Browser Alerts
About Cox Browser Alerts

Your other topic with nasdaq will be closed in 5 days.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 IAmAUser

IAmAUser
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 02 April 2015 - 04:58 PM

I didn't know if I was or was not infected when I made my initial comments, so my only concern at the time was to confirm one way or another. I thought that was pretty clear, I posted in a section called "Am I infected? What do I do?"

 

Apologies if this is the wrong place to post.

 

A few nights ago on my gaming computer at home I had a Cox Browser Alert popup...

I guess I wrongly assumed it's a given that I wanted to know if I was infected and what I should do. It was my first post here that I made after spending some time reading all the sticky posts that pointed me to this. I only posted in malware removal because of your instructions. After being told that the logs look clean I realized I needed to know if the browser alerts can be a false positive. I apologize if I've wasted someone's time, but I don't see that as any reason for a curt and unhelpful reply. Have a nice life.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 02 April 2015 - 05:08 PM

That was not my intention and I apologize if that is how you interpreted my comments. I was merely trying to explain why the confusion occurred and I did provide two links in answer to your question about Cox Browser Alerts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 gsWarriors30

gsWarriors30

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 30 July 2015 - 10:32 AM

Hey IAMAUser,

 

Were you able to resolve the issue?

I am in a similar situation. I ran all the scans on my computers and mobile phones connected to the network where did not detect anything.

 

What's interesting is that a week prior, I received an E-MAIL from cox saying I may have a computer in network infected with a virus. I did have a computer that was slow and acting peculiar, to which SpyHunter detected several malware, so I reformatted the computer which should have taken care of that problem.

 

Were you able to confirm if you were in a false-positive situation?

 

Thanks,

-Steve



#10 IAmAUser

IAmAUser
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:41 PM

Posted 30 July 2015 - 04:42 PM

I confirmed it only by a lack of finding any malware on my network, which was enough for my peace of mind. The alert hasn't shown up since. I can only assume that Cox's method for detection is imperfect. It's been a while since I did my research but iirc you might receive these alerts if you connect to an ip (website) that has been flagged as affiliated with zbot.

 

Hope that helps a bit.



#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:41 PM

Posted 30 July 2015 - 08:24 PM

To fix this you need to follow the steps in post 2.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 gsWarriors30

gsWarriors30

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 31 July 2015 - 10:47 PM

great, thanks for the reply you guys



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:41 PM

Posted 01 August 2015 - 04:38 PM

Closed topic
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users