Solved

Trojan.Zbot Activity 15

Posted on 2015-02-02
16
297 Views
Last Modified: 2016-09-01
A customer is having a problem with Trojan.Zbot Activity 15 and intrusion attempts from IP address 195.2.240.86, which is apparently in Russia.  Symantec EndPoint Antivirus reports these problems regularly - several times a day.

I have swept the computer with Malwarebytes, Superantispyware, ESET Online Scanner, and TDSSKiller.  These utilities find no problem, but the problem persists.  And, his latest report is that the virus definitions have disappeared.  We went through the missing definitions a month ago, and Live Update corrected any problem with the AV.

My guess is that the intrusion attempt is a sniffer that is looking at a range of IP addresses.  This user may or may not have gone to a web site that would have been better left alone.

The OS is Windows 7 Home Premium, and the browser is IE11.  The customer does use AOL as his email, but I have convinced him to use IE instead of the AOL software.

What is Trojan.Zbot Activity 15?  What can I do to stop the intrusion attempt before it gets to his computer?  What should I tell the user to do or not do to keep this from happening?
0
Comment
Question by:rhavey
  • 5
  • 4
  • 3
  • +3
16 Comments
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40585988
Setup a firewall rule to block that IP address. You cannot stop intrusion attempts while  you're connected to the internet, a firewall can help you block those attempts. What kind of internet connection/modem/setup does your customer have? Modems usually have basic firewalls that can be setup to block all outside originating traffic.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40586009
block it at the router or his computers firewall
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40586088
Poweliks embeds itself in the registry so there is no file for A/V/ Antimalware to find and many of the hits on Trojan.ZBot ultimately found Poweliks.  Try RogueKiller which can both detect and remove it: http://www.bleepingcomputer.com/download/roguekiller/  Save it then run it.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40586261
try getting Microsoft Security Essentials and run the full scan, forum has experienced this and Norton and MBAM cannot detect it but MSE can detect it as " (Trojan:Win32/Powerssere.A)", I know you may not believe it too..

Zbot has too many variant but kind of sniffer as mentioned and below is a quick summary for this variant Trojan.zbot Activity 15 virus
Trojan.zbot Activity 15 virus hits Windows registry and creates a bunch of hidden files. Thus, you will notice that your PC performance becomes very slow and sluggish. What’s more, Trojan.zbot Activity 15 virus can delete important system files without your permission and corrupt your routine programs. It is very good at tracking your browsing habits, so if you let it hang around there too long, probably, it will steal your computer privacy, including web history, search queries, credit card details, ip address, phone number and so on.
Note this is the manual mean to remove it - http://removevirusmalware.com/remove-trojan-zbot-activity-15-virus/
0
 
LVL 37

Expert Comment

by:Gerwin Jansen
ID: 40586403
If clean attempts keep failing, reinstall as a last resort but only after you've blocked intrusion attempts. Save valuable data before or take a new drive and install fresh.
0
 
LVL 1

Author Comment

by:rhavey
ID: 40592757
I finally caught up with my customer.  I ran Rogue Killer - successfully, I think.

The router is a Netgear WND3400v2.  The procedure is to enter the IP addresss in Blocked Services and specify All Services (TCP and UDP).  The Apply button cleverly turn to an Add button, which I suppose is OK, but when I click Add, I get a message that says "Invalid IP address.  Please enter it again."  I tried with the offending address and one of Google's addresses with the same result.  I can ping both IP addresses.  I tried entering the IP addresses with leading zeroes for the numbers that were less than 3 characters.

I have an inquiry in to Netgear and I may or may not get an answer.

I suspect that the feature isn't working.  I tried updating the firmware with no improvement.

Does anyone have any idea if there is a trick to entering an IP address to be blocked in this router?
0
 
LVL 61

Expert Comment

by:btan
ID: 40592812
you should be able to view log of web access or attempted web access and see the source ip address. if that address is captured, the router should be able to recognised it. I was thinking you are actually using the block in the router feature that support is only for blocking those PC (or range of IP addresses) on your network. By default, the router blocks any inbound traffic from the Internet to your computers except for replies to your outbound traffic. See the manual (v1 though)
http://www.downloads.netgear.com/files/GDC/WNDR3400V1/WNDR3400_UM_31AUG2010.pdf
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40593563
CurrentPorts is very useful for seeing if there is still something running on the PC: http://www.nirsoft.net/utils/cports.html
What did RogueKiller find?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:rhavey
ID: 40593706
I know the address that I need to block.  You have confirmed my suspicion that the feature I was trying to use blocks access from the local network to the Internet.  The other feature I tried to use blocks keywords and URLs, but I can't specify an IP address.  I will check to make sure that there isn't a port being forwarded when I catch up with the customer again - later today, I hope.

Roguekiller found a registry key with Poweliks and some other registry problems.  I think that problem is taken care of.

I can try Currentports, but I want to stop the intrusion before it gets to the computer.  End Point is obviously stopping the intrusion, but it freaks the user out.
0
 
LVL 61

Expert Comment

by:btan
ID: 40593730
The router only allows  you to restrict access based on Web addresses and Web address keywords which is from your network again and not inbound from external. Since the callback is IP addresses based, I doubt the router is going to be effective.

You can download Process Explorer from the Microsoft site (sysinternal). Alternatively is the Task Manager. See if you still have lots and lots of dllhost.exe processes, gradually using more memory and cpu cycles. These are symptoms for the “Poweliks” virus. You can see this removal guide from BleedingComputer.

Understand Symantec also provided Trojan.Poweliks removal tool for either FixPoweliks64 (exe for 64-bit computers) or FixPoweliks32 (exe for 32-bit computers)
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 40593750
Every NAT router discards traffic from the outside.
0
 
LVL 1

Author Comment

by:rhavey
ID: 40595877
Current Ports did not help, but the EndPoint log was informative.  I turned out that something (probably Powelik) was sending an ICMP query to the offending IP address and that site was sending an ICMP signal back.  That's why the traffic was getting through the router.  What isn't clear to me was how EndPoint determined that the traffic was not legitimate.

Powelik turned out to be difficult to remove.  Symantec's removal tool did not find it, an EndPoint scan found it, but could not remove it, and Rogue Killer found it, but could not remove it.  Malwarebytes and Superantispyware also could not find Powelik.  I finally went back to btan's post pointing at a Bleeping Computer article on manual removal.  The manual removal procedure had not worked earlier, but at the bottom of the article was a reference to ESET's removal tool.  The ESET tool apparently successfully removed the virus.  An EndPoint scan ran clean.  I rebooted and a second scan ran clean.

Because I was burned 3 times before I started this thread, I am going to keep it open until Monday.  If I haven't heard from the customer that there is still a problem, I will accept btan's solution.
0
 
LVL 61

Expert Comment

by:btan
ID: 40596277
Noted, the callback (victim IP calling back to ext IP) is expected as in all ransomware (and malware). I was thinking of Microsoft Essential as well in my first post too.. but since it has been removed, I see we leave it as it is and monitor if callback still exist.
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 40601486
The manual Procedure did not work, but there was an ESET scanner recommended at the end of the Bleeping Computer article,

I have not heard from my customer, who would not hesitate to complain.
0
 

Expert Comment

by:Henry Park
ID: 41781004
Few days ago, I was also experiencing same problem (Trojan.Zbot Activity 15). Actually Trojan.Zbot Activity 15 is one of type of infection comes to the category of trojan. The intrusion attempts from 195.2.240.86 IP address that is in Russia. My anti virus report Trojan.Zbot Activity 15 every time I scan my computer. After the entry of this infection I am noticing some malicious program is running in the backgound but I can not stop them. Because of which the system is running very weirdly. The installed anti virus detect the problem but could not help me. One day, I run scan of my computer whole night. But nothing helped be. But one day I got solution to remove Trojan.Zbot Activity 15 manually from the computer(  http://www.trojanzbotactivity15removal.com)
0
 
LVL 61

Expert Comment

by:btan
ID: 41781046
Maybe better to refurnish into clean build since it is confirmed infected. Up to individual risk appetite as the root cause to such infection may not have been closed and may recur. Hardening still need to be verified..
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now