Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Notified by ISP that Infected - Zbot


  • Please log in to reply
13 replies to this topic

#1 Little Nut

Little Nut

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 07 August 2015 - 01:12 PM

Hi, I received an e-mail notification from my ISP that my computer is infected w/ Zbot.  (See notification copy at end of this post)  Copies of this notification were sent to all of my accounts associated with the ISP. These notifications do not appear to be spoofs.   I tried several different scanners and none indicated a problem.  Details about my system and what I "tried" follow.  

 

I need help in determining if I have a virus problem or not and how to resolve any identified virus problems.  Any help will be very much appreciated.   TIA,  

 

Tom

 

 

OS - Win10 Pro X64

Malwarebytes Antimalware did not detect a problem.

Malwarebytes AntiRootkit did not detect a problem

Symantec Zbot Removal tool (FixNecurs64bit.exe) did not indicate a problem

Symantec Morton Power Eraser (NPE.exe) did not indicate a problem

AVG Zbot Removal tool (avg_remover_zbot.exe) freezes up `10 minutes into a scan.

 

 

 

 

NOTIFICATION FROM ISP

 

-----Original Message-----
From: Cox Customer Safety [mailto:abuse@cox.net]
Sent: Friday, August 7, 2015 9:04 AM
To: <SNIP>
Cc: <SNIP>
Subject: [8.7.2015 26138503] Compromised Computer Notification from Cox Communications

 

Dear Subscriber,

Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot.

While this malicious software is not new, it still poses a great risk to your computer and files that reside on your hard drive.

Zeus malware uses keylogging in order to access user names and passwords and infected over 13 million computers worldwide.

We recommend you take the following action:

1. Visit the Microsoft or Symantec website, download and run the FREE removal tool:

http://www.microsoft.com/security/scanner/

http://www.symantec.com/security_response/writeup.jsp?docid=2014-052915-1402-99

 

After running the free Microsoft removal tool, if you already have security software installed on your system:

2)  Follow your security software's instructions to download the latest updates (also known as "virus definitions")

3)  When the new definitions have been loaded, perform a full virus scan on your system.

 

If you do not already have security software on your computer, we recommend the Cox Security Suite powered by McAfee, which is included at no extra charge with your service.

To install the Cox Security Suite powered by McAfee:

1)  Visit https://myaccount.cox.net/ and click on Internet Tools

2)  Log-in with your primary account User ID

3)  Select the Security Suite link to download and install the software

4)  When the install is complete, the program will automatically conduct a full scan

 

If you have any questions regarding this matter, please call us at 800-753-6085 and provide the reference number provided in the subject of this email.

If you would like additional information on the Zeus botnet we recommend these articles:

http://www.us-cert.gov/ncas/alerts/TA14-150A

http://www.eweek.com/c/a/Security/Microsoft-Targets-Zeus-Botnets-with-Financial-Services-Partners-544534/

http://www.computerworld.com/s/article/9190758/Microsoft_tool_now_roots_out_Zeus_malware

 

Regards,

Cox Customer Safety



BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:11 PM

Posted 07 August 2015 - 01:40 PM

Hello,

The FixNecurs tool is for another infection, a rootkit known as Necurs - not Zbot.

Let's see if these scanners will catch anything.

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
===

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
===

Please run this to get a report on your computer's security status.

Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

Regards,
Alex

#3 Little Nut

Little Nut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 08 August 2015 - 08:56 AM

Hi Alex,

 

Requested items follow.

 

Emsisoft Emergency Kit Results

 

Emsisoft Emergency Kit - Version 10.0

Last update: 8/7/2015 5:53:04 PM

User account: TOMS\TomDoc

 

Scan settings:

 

Scan type: Malware Scan

Objects: Rootkits, Memory, Traces, Files

 

Detect PUPs: On

Scan archives: Off

ADS Scan: On

File extension filter: Off

Advanced caching: On

Direct disk access: Off

 

Scan start: 8/7/2015 5:53:52 PM

 

Scanned 85971

Found 0

 

Scan end: 8/7/2015 5:58:11 PM

Scan time: 0:04:19

 

ESET Online Scanner Results

 

C:\Users\Tom\Downloads\HP Downloads\HP Officejet Pro 8620 e-All-in-One Printer series Full Feature Software and Drivers - OJ8620_198.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

C:\Users\TomDoc\AppData\Local\Temp\7zS7EF6\Optional\HP_IPG_Toolbar_installer.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting - quarantined

C:\Users\TomDoc\Downloads\Downloads\HP Downloads\HP Officejet Pro 8620 e-All-in-One Printer series Full Feature Software and Drivers - OJ8620_198.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

C:\Users\TomDoc\Downloads\HP Downloads\HP Officejet Pro 8620 e-All-in-One Printer series Full Feature Software and Drivers - OJ8620_198.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Advanced Uninstaller Pro\Advanced_Uninstaller11.exe a variant of Win32/OpenCandy.C potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Avery\Avery Wizard 4.0.0.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Avery\DPSetup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Drivers\Asus\driver_fusion_170.exe Win32/OpenCandy potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Drivers\HP\OJ8620_198 (1).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Drivers\HP\OJ8620_198.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Format Factory\FFSetup260.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Format Factory\FFSetup260.zip a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined

D:\Downloads\Applications\Logitech\Logitech_Gaming_Y-U0010_Driver_Update_06-2013.exe a variant of Win32/Systweak.R potentially unwanted application deleted - quarantined

D:\Downloads\Applications\Stuff\BitTorrent-6.1.2.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined

D:\TOMS\Backup Set 2013-08-26 100001\Backup Files 2013-08-26 100001\Backup files 17.zip Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined

D:\TOMS\Backup Set 2013-08-26 100001\Backup Files 2013-08-26 100001\Backup files 8.zip a variant of Win32/Adware.MediaFinder.F application deleted - quarantined

 

 

Security Check by screen317- AV, AM, Firewall Still Disabled

 

 Results of screen317's Security Check version 1.006  

   x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

 Windows Firewall Disabled!  

Windows Defender   

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

 Adobe Reader XI  

 Google Chrome (44.0.2403.125) 

 Google Chrome (44.0.2403.130) 

````````Process Check: objlist.exe by Laurent````````  

 Windows Defender MSMpEng.exe 

 Windows Defender MSASCui.exe 

 Windows Defender MpCmdRun.exe   

 Windows Defender MSASCui.exe   

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:  % 

````````````````````End of Log`````````````````````` 

 

 

Security Check by screen317- AV, AM, Firewall Restarted

 

 Results of screen317's Security Check version 1.006  

   x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Windows Defender   

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

 Adobe Reader XI  

 Google Chrome (44.0.2403.125) 

 Google Chrome (44.0.2403.130) 

````````Process Check: objlist.exe by Laurent````````  

 Windows Defender MSMpEng.exe 

 Windows Defender MSASCui.exe 

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbam.exe  

 Malwarebytes Anti-Malware mbamscheduler.exe   

 Windows Defender MpCmdRun.exe   

 Windows Defender MSASCui.exe   

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:  % 

````````````````````End of Log`````````````````````` 

 

 

BTW   "C" Drive is an SSD

 

Regards,

 

 

Tom



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:11 PM

Posted 08 August 2015 - 09:22 AM

Looks like it's just a bunch of crapware and no signs of Zbot.

Do you have any other computers on the same network? Your ISP most likely detected botnet-like activity in the network and probably not the malware itself.

#5 Little Nut

Little Nut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 08 August 2015 - 09:41 AM

No others.....just the one.

 

All I have attached to incoming cable is

 

ISP Supplied MODEM/Router/VOIP

- Computer - Hardwired

- Home Phone - Hardwired w/ 2 wireless handsets

 

ISP Supplied CATV Box

- TV Hardwired



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:11 PM

Posted 08 August 2015 - 10:09 AM

Hi there,

Kaspersky Virus Removal Tool

4n7CEPj.jpgPlease download Kaspersky Virus Removal Tool from here.
  • Right click on NfpAe5Z.jpg and select Run as Administrator.
  • Read the EULA, then select Accept.
  • Wait for Kaspersky Virus Removal Tool to initialize.
  • In the main screen, select Change parameters, place a checkmark in System drive, then click OK.
  • Click Start scan.
  • Wait for Kaspersky Virus Removal Tool to complete scanning.
  • When the scan is finished, select Neutralize all for all detected objects.
  • Close Kaspersky Virus Removal Tool when done.
Let me know if it found anything.

Regards,
Alex

#7 Little Nut

Little Nut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 08 August 2015 - 11:41 AM

Hey Alex,

 

Downloaded, setup, and ran KVRT as you indicated.  Nothing was found.

 

Regards,

Tom



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:11 PM

Posted 08 August 2015 - 11:44 AM

Looks like there is no Zbot. Let me know if you received the Zbot email from your ISP again.

You can uninstall ESET Online Scanner from Programs and Features, and delete EEK and KVRT manually. That should take care of the tools.

Regards,
Alex

#9 Little Nut

Little Nut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 08 August 2015 - 12:03 PM

Alex,

 

I currently use Windows Firewall, Windows Defender, and Malwarebytes Premium.  Any Suggestions/Recommendations/Opportunities for improvement would be appreciated.

 

As for "this" problem, TYVM for your time.  I hope you have a nice weekend.

 

Regards,

Tom



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:11 PM

Posted 08 August 2015 - 12:07 PM

You can read these information to help keep your computer safe on the Internet:

Best Practices for Safe Computing - Prevention of Malware Infection
How Malware Spreads - How did I get infected
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)

Windows Defender, Windows Firewall and MBAM Premium is okay, as long as you practice safe surfing.

If you wish, you can add an anti-exploit application to improve security. Two free anti-exploit apps are Malwarebytes Anti-Exploit (MBAE) and Microsoft's Enhanced Mitigation Experience Toolkit (EMET).

What browser do you use?

#11 Little Nut

Little Nut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 08 August 2015 - 01:43 PM

Chrome



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:11 PM

Posted 08 August 2015 - 02:01 PM

You can check out some of these...

Useful addons for Google Chrome
  • uBlock Origin for Chrome: Blocks both ads and scripts, lightweight, no whitelists
  • ScriptSafe: Disables scripts similar to NoScript, but on Chrome
  • Ghostery for Chrome: Views and allows blocking of tracking services
  • Web of Trust: Community feedback on websites. Remember that this may not reflect the actual trustworthiness of websites, so take it with a grain of salt
  • LastPass for Chrome: Manages your passwords with convenience and security
  • HTTPS Everywhere for Chrome: Forces HTTPS encryption of contents to prevent snooping. Be noted that this may break website contents
Regards,
Alex

#13 Little Nut

Little Nut
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:11 PM

Posted 08 August 2015 - 02:39 PM

ty Alex



#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:11 PM

Posted 08 August 2015 - 02:40 PM

You are welcome :)




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users