Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Notified by ISP that Infected - Zbot


  • Please log in to reply
8 replies to this topic

#1 Speedo420

Speedo420

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 January 2018 - 12:41 AM

I got this email from our ISP a couple of days ago,  I scanned our computers with Avast, ran Malwarebytes, Sophos Virus Removal Tool and they found nothing,   the I found this on your site and followed the suggestions with Emsisoft and ESET Online Scanner finding nothing........do anyone have any further suggestions
 
 
email from Cox
 
Dear Subscriber,

Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot.
While this malicious software is not new, it still poses a great risk to your computer and files that reside on your hard drive.

Zeus malware uses keylogging in order to access user names and passwords and infected over 13 million computers worldwide.

We recommend you take the following action:

1. Visit the Microsoft or Symantec website, download and run the FREE removal tool:



After running the free Microsoft removal tool, if you already have security software installed on your system:
2)  Follow your security software's instructions to download the latest updates (also known as "virus definitions")
3)  When the new definitions have been loaded, perform a full virus scan on your system.

Cox Security Suite Plus powered by McAfee is included FREE with your Cox High Speed Internet service.  This software can be used to help protect up-to 5  devices in your home, including Windows and Mac OS computers, and Android and Apple tablets and smartphones.
To get started, simply browse to www.cox.com/securitysuite and login with your Cox primary User ID and Password.
If you already have an Anti-virus solution installed, you should refer to your software manual before installing the Cox Security Suite.

If you have any questions regarding this matter, please call us at 800-753-6085 and provide the reference number provided in the subject of this email.

If you would like additional information on the Zeus botnet we recommend these articles:




Regards,

Cox Customer Safety

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 13,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:30 AM

Posted 12 January 2018 - 07:26 AM

I have seen recently and in the past years reason to think that Cox is attempting to get its customers to purchase their online/ remote

assistance. It is not likely that your computer is infected with Zbot.

 

That being said...you can use the programs below to clean, remove malware and remove adware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Download Malwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

Edited by buddy215, 12 January 2018 - 07:27 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 Speedo420

Speedo420
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 January 2018 - 01:14 PM

hello again,

 

I ran the CCleaner and here are the logs for AdwCleaner and Malwarebytes Anti-Rootkit

 

 

# AdwCleaner 7.0.6.0 - Logfile created on Fri Jan 12 17:15:38 2018
# Updated on 2017/21/12 by Malwarebytes
# Running on Windows 7 Ultimate (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\ProgramData\Solvusoft
Deleted: C:\ProgramData\Application Data\Solvusoft
Deleted: C:\Users\All Users\Solvusoft
Deleted: C:\Users\pc\AppData\Roaming\Solvusoft


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{80107F16-CB2E-42AB-AB9D-6C11540D5A8B}


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[C10].txt - [2897 B] - [2017/4/28 16:36:24]
C:/AdwCleaner/AdwCleaner[C1].txt - [5816 B] - [2015/8/27 13:24:35]
C:/AdwCleaner/AdwCleaner[C2].txt - [3839 B] - [2015/10/6 7:30:51]
C:/AdwCleaner/AdwCleaner[C3].txt - [5032 B] - [2015/11/7 8:35:29]
C:/AdwCleaner/AdwCleaner[C4].txt - [3223 B] - [2015/11/7 10:53:22]
C:/AdwCleaner/AdwCleaner[C5].txt - [762 B] - [2015/11/28 18:17:30]
C:/AdwCleaner/AdwCleaner[C6].txt - [762 B] - [2015/12/28 6:50:55]
C:/AdwCleaner/AdwCleaner[C7].txt - [2344 B] - [2016/9/20 12:2:16]
C:/AdwCleaner/AdwCleaner[C8].txt - [2441 B] - [2016/10/13 12:0:51]
C:/AdwCleaner/AdwCleaner[C9].txt - [3081 B] - [2017/3/21 5:28:27]
C:/AdwCleaner/AdwCleaner[S10].txt - [2410 B] - [2016/9/20 12:0:55]
C:/AdwCleaner/AdwCleaner[S11].txt - [2541 B] - [2016/10/13 12:0:8]
C:/AdwCleaner/AdwCleaner[S12].txt - [2552 B] - [2016/10/22 18:11:28]
C:/AdwCleaner/AdwCleaner[S13].txt - [2626 B] - [2016/10/26 11:47:4]
C:/AdwCleaner/AdwCleaner[S14].txt - [2700 B] - [2016/11/25 18:42:27]
C:/AdwCleaner/AdwCleaner[S15].txt - [2774 B] - [2017/1/8 7:28:34]
C:/AdwCleaner/AdwCleaner[S16].txt - [3046 B] - [2017/3/21 5:27:45]
C:/AdwCleaner/AdwCleaner[S17].txt - [3075 B] - [2017/4/28 16:35:38]
C:/AdwCleaner/AdwCleaner[S1].txt - [5350 B] - [2015/8/27 13:22:56]
C:/AdwCleaner/AdwCleaner[S2].txt - [3513 B] - [2015/10/6 7:29:11]
C:/AdwCleaner/AdwCleaner[S3].txt - [4742 B] - [2015/11/7 8:34:2]
C:/AdwCleaner/AdwCleaner[S4].txt - [3011 B] - [2015/11/7 10:51:35]
C:/AdwCleaner/AdwCleaner[S5].txt - [670 B] - [2015/11/28 18:16:22]
C:/AdwCleaner/AdwCleaner[S6].txt - [670 B] - [2015/12/28 6:47:2]
C:/AdwCleaner/AdwCleaner[S7].txt - [670 B] - [2015/12/29 14:29:24]
C:/AdwCleaner/AdwCleaner[S8].txt - [670 B] - [2016/1/19 7:23:33]
C:/AdwCleaner/AdwCleaner[S9].txt - [2169 B] - [2016/8/18 7:34:52]


########## EOF - C:\AdwCleaner\AdwCleaner[C10].txt ##########

 

 

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org

Database version:
  main:    v2018.01.12.06
  rootkit: v2017.10.14.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18816
pc :: PC-PC [administrator]

1/12/2018 12:32:27 PM
mbar-log-2018-01-12 (12-32-27).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 233379
Time elapsed: 35 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#4 buddy215

buddy215

  • BC Advisor
  • 13,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:30 AM

Posted 12 January 2018 - 02:22 PM

Look through your list of installed programs for WinThruster and other programs from Solvusoft. Uninstall ALL of them.

 

Along with the programs you ran and those two I would think such well known malware would of been found...I suggest ignoring that email.

 

LAST SCAN:

 

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 Speedo420

Speedo420
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 January 2018 - 03:02 PM

I don't see any programs by Solvusoft

 

thank you again and here is the log

 

 

 

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 12.01.2018 14:58:30
Path starting: C:\Users\pc\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: pc
VersionXML: 4.73s-27.10.2017
___________________________________________________________________________

Windows 7(6.1.7601) Service Pack 1 (x64) Ultimate Lang: English(0409)
Installation date OS: 07.08.2015 18:19:51
LicenseStatus: Windows® 7, Ultimate edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [74.4 Gb] Used: [58 Gb] Free: [16.4 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18816
User Account Control enabled (Level 3)
Never check for updates
Date install updates: 2017-10-12 10:28:01
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service is running
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
------------------------------- [ HotFix ] --------------------------------
HotFix KB3185911 Warning! Download Update
HotFix KB3184122 Warning! Download Update
HotFix KB3192391 Warning! Download Update
HotFix KB3197867 Warning! Download Update
HotFix KB3205394 Warning! Download Update
HotFix KB4012212 Warning! Download Update
HotFix KB4019263 Warning! Download Update
HotFix KB4022722 Warning! Download Update
HotFix KB4015546 Warning! Download Update
HotFix KB4025337 Warning! Download Update
HotFix KB4034679 Warning! Download Update
HotFix KB4041678 Warning! Download Update
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2010 x86 v.14.0.4763.1000
---------------------------- [ Antivirus_WMI ] ----------------------------
Avast Antivirus (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Firewall (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (disabled and out of date)
Avast Antivirus (enabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Avast Free Antivirus v.17.9.2322
ESET Online Scanner v3
Sophos Virus Removal Tool v.2.6.1
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes version 3.3.1.2183 v.3.3.1.2183
Secunia PSI (3.0.0.11003) v.3.0.0.11003
--------------------------- [ OtherUtilities ] ----------------------------
Microsoft Silverlight v.5.1.50907.0
VLC media player v.2.2.4 Warning! Download Update
WinRAR 5.31 (32-bit) v.5.31.0 Warning! Download Update
--------------------------------- [ IM ] ----------------------------------
Trillian
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 151 v.8.0.1510.12 Warning! Download Update
Uninstall old version and install new one (jre-8u152-windows-i586.exe).
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 28 ActiveX v.28.0.0.137 [+]
Adobe Flash Player 27 NPAPI v.27.0.0.183
Adobe Acrobat Reader DC v.18.009.20050 [+]
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 57.0.4 (x64 en-US) v.57.0.4 [+]
Google Chrome v.65.0.3315.3 [+]
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Mozilla Firefox\firefox.exe v.57.0.4.6577
------------------ [ AntivirusFirewallProcessServices ] -------------------
Avast Antivirus (avast! Antivirus) - The service is running
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe v.17.9.3761.0
aswbIDSAgent (aswbIDSAgent) - The service is running
C:\Program Files\Alwil Software\Avast5\AvastUI.exe v.17.9.3761.278
Malwarebytes Service (MBAMService) - The service has stopped
Windows Defender (WinDefend) - The service has stopped
----------------------------- [ End of Log ] ------------------------------
 



#6 buddy215

buddy215

  • BC Advisor
  • 13,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:30 AM

Posted 12 January 2018 - 03:13 PM

I don't know what all the missing hot fixes is all about....I assume you do.

 

Other than that...update or uninstall Java 8 Update 151 v.8.0.1510.12

Most users don't need Java. It has been a malware magnet in the past.

 

You're welcome...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 Speedo420

Speedo420
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 12 January 2018 - 05:41 PM

sorry to say I know nothing about the hot fixes, I guess I better check into them

 

I uninstalled and updated Java

 

once again thank you for your help



#8 buddy215

buddy215

  • BC Advisor
  • 13,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:30 AM

Posted 12 January 2018 - 06:26 PM

You could ask about those hot fixes in the Windows 7 Forum.

 

Once again...you're welcome..


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 tns1

tns1

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 12 January 2018 - 11:42 PM

 

I have seen recently and in the past years reason to think that Cox is attempting to get its customers to purchase their online/ remote

assistance. It is not likely that your computer is infected with Zbot.

 

 

As a cox customer I have to agree. Once a year I have been getting that Zbot warning from Cox. Nothing is ever found.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users