Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Trojan.Zbot Activity 15

Posted on 2015-02-02
16
Medium Priority
?
372 Views
Last Modified: 2016-09-01
A customer is having a problem with Trojan.Zbot Activity 15 and intrusion attempts from IP address 195.2.240.86, which is apparently in Russia.  Symantec EndPoint Antivirus reports these problems regularly - several times a day.

I have swept the computer with Malwarebytes, Superantispyware, ESET Online Scanner, and TDSSKiller.  These utilities find no problem, but the problem persists.  And, his latest report is that the virus definitions have disappeared.  We went through the missing definitions a month ago, and Live Update corrected any problem with the AV.

My guess is that the intrusion attempt is a sniffer that is looking at a range of IP addresses.  This user may or may not have gone to a web site that would have been better left alone.

The OS is Windows 7 Home Premium, and the browser is IE11.  The customer does use AOL as his email, but I have convinced him to use IE instead of the AOL software.

What is Trojan.Zbot Activity 15?  What can I do to stop the intrusion attempt before it gets to his computer?  What should I tell the user to do or not do to keep this from happening?
0
Comment
Question by:rhavey
  • 5
  • 4
  • 3
  • +3
16 Comments
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40585988
Setup a firewall rule to block that IP address. You cannot stop intrusion attempts while  you're connected to the internet, a firewall can help you block those attempts. What kind of internet connection/modem/setup does your customer have? Modems usually have basic firewalls that can be setup to block all outside originating traffic.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 40586009
block it at the router or his computers firewall
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 40586088
Poweliks embeds itself in the registry so there is no file for A/V/ Antimalware to find and many of the hits on Trojan.ZBot ultimately found Poweliks.  Try RogueKiller which can both detect and remove it: http://www.bleepingcomputer.com/download/roguekiller/  Save it then run it.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40586261
try getting Microsoft Security Essentials and run the full scan, forum has experienced this and Norton and MBAM cannot detect it but MSE can detect it as " (Trojan:Win32/Powerssere.A)", I know you may not believe it too..

Zbot has too many variant but kind of sniffer as mentioned and below is a quick summary for this variant Trojan.zbot Activity 15 virus
Trojan.zbot Activity 15 virus hits Windows registry and creates a bunch of hidden files. Thus, you will notice that your PC performance becomes very slow and sluggish. What’s more, Trojan.zbot Activity 15 virus can delete important system files without your permission and corrupt your routine programs. It is very good at tracking your browsing habits, so if you let it hang around there too long, probably, it will steal your computer privacy, including web history, search queries, credit card details, ip address, phone number and so on.
Note this is the manual mean to remove it - http://removevirusmalware.com/remove-trojan-zbot-activity-15-virus/
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 40586403
If clean attempts keep failing, reinstall as a last resort but only after you've blocked intrusion attempts. Save valuable data before or take a new drive and install fresh.
0
 
LVL 1

Author Comment

by:rhavey
ID: 40592757
I finally caught up with my customer.  I ran Rogue Killer - successfully, I think.

The router is a Netgear WND3400v2.  The procedure is to enter the IP addresss in Blocked Services and specify All Services (TCP and UDP).  The Apply button cleverly turn to an Add button, which I suppose is OK, but when I click Add, I get a message that says "Invalid IP address.  Please enter it again."  I tried with the offending address and one of Google's addresses with the same result.  I can ping both IP addresses.  I tried entering the IP addresses with leading zeroes for the numbers that were less than 3 characters.

I have an inquiry in to Netgear and I may or may not get an answer.

I suspect that the feature isn't working.  I tried updating the firmware with no improvement.

Does anyone have any idea if there is a trick to entering an IP address to be blocked in this router?
0
 
LVL 65

Expert Comment

by:btan
ID: 40592812
you should be able to view log of web access or attempted web access and see the source ip address. if that address is captured, the router should be able to recognised it. I was thinking you are actually using the block in the router feature that support is only for blocking those PC (or range of IP addresses) on your network. By default, the router blocks any inbound traffic from the Internet to your computers except for replies to your outbound traffic. See the manual (v1 though)
http://www.downloads.netgear.com/files/GDC/WNDR3400V1/WNDR3400_UM_31AUG2010.pdf
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 40593563
CurrentPorts is very useful for seeing if there is still something running on the PC: http://www.nirsoft.net/utils/cports.html
What did RogueKiller find?
0
 
LVL 1

Author Comment

by:rhavey
ID: 40593706
I know the address that I need to block.  You have confirmed my suspicion that the feature I was trying to use blocks access from the local network to the Internet.  The other feature I tried to use blocks keywords and URLs, but I can't specify an IP address.  I will check to make sure that there isn't a port being forwarded when I catch up with the customer again - later today, I hope.

Roguekiller found a registry key with Poweliks and some other registry problems.  I think that problem is taken care of.

I can try Currentports, but I want to stop the intrusion before it gets to the computer.  End Point is obviously stopping the intrusion, but it freaks the user out.
0
 
LVL 65

Expert Comment

by:btan
ID: 40593730
The router only allows  you to restrict access based on Web addresses and Web address keywords which is from your network again and not inbound from external. Since the callback is IP addresses based, I doubt the router is going to be effective.

You can download Process Explorer from the Microsoft site (sysinternal). Alternatively is the Task Manager. See if you still have lots and lots of dllhost.exe processes, gradually using more memory and cpu cycles. These are symptoms for the “Poweliks” virus. You can see this removal guide from BleedingComputer.

Understand Symantec also provided Trojan.Poweliks removal tool for either FixPoweliks64 (exe for 64-bit computers) or FixPoweliks32 (exe for 32-bit computers)
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 40593750
Every NAT router discards traffic from the outside.
0
 
LVL 1

Author Comment

by:rhavey
ID: 40595877
Current Ports did not help, but the EndPoint log was informative.  I turned out that something (probably Powelik) was sending an ICMP query to the offending IP address and that site was sending an ICMP signal back.  That's why the traffic was getting through the router.  What isn't clear to me was how EndPoint determined that the traffic was not legitimate.

Powelik turned out to be difficult to remove.  Symantec's removal tool did not find it, an EndPoint scan found it, but could not remove it, and Rogue Killer found it, but could not remove it.  Malwarebytes and Superantispyware also could not find Powelik.  I finally went back to btan's post pointing at a Bleeping Computer article on manual removal.  The manual removal procedure had not worked earlier, but at the bottom of the article was a reference to ESET's removal tool.  The ESET tool apparently successfully removed the virus.  An EndPoint scan ran clean.  I rebooted and a second scan ran clean.

Because I was burned 3 times before I started this thread, I am going to keep it open until Monday.  If I haven't heard from the customer that there is still a problem, I will accept btan's solution.
0
 
LVL 65

Expert Comment

by:btan
ID: 40596277
Noted, the callback (victim IP calling back to ext IP) is expected as in all ransomware (and malware). I was thinking of Microsoft Essential as well in my first post too.. but since it has been removed, I see we leave it as it is and monitor if callback still exist.
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 40601486
The manual Procedure did not work, but there was an ESET scanner recommended at the end of the Bleeping Computer article,

I have not heard from my customer, who would not hesitate to complain.
0
 

Expert Comment

by:Henry Park
ID: 41781004
Few days ago, I was also experiencing same problem (Trojan.Zbot Activity 15). Actually Trojan.Zbot Activity 15 is one of type of infection comes to the category of trojan. The intrusion attempts from 195.2.240.86 IP address that is in Russia. My anti virus report Trojan.Zbot Activity 15 every time I scan my computer. After the entry of this infection I am noticing some malicious program is running in the backgound but I can not stop them. Because of which the system is running very weirdly. The installed anti virus detect the problem but could not help me. One day, I run scan of my computer whole night. But nothing helped be. But one day I got solution to remove Trojan.Zbot Activity 15 manually from the computer(  http://www.trojanzbotactivity15removal.com)
0
 
LVL 65

Expert Comment

by:btan
ID: 41781046
Maybe better to refurnish into clean build since it is confirmed infected. Up to individual risk appetite as the root cause to such infection may not have been closed and may recur. Hardening still need to be verified..
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question