HTTP ZBOT activity
Thread Starter
Joined: Feb 1998
Aviation Qualifications: ATPL
Posts: 1,595
Likes: 0
From: Formerly of Nam
HTTP ZBOT activity
I was a bit of a silly bastard the other day when I opened
an email (Subject: none) from a mate that said happy
new year with a supposed e-greeting that had an .exe
attachment.
Upon activating the .exe from WE downloads folder, Peter
Norton went completely nuts but did block it using its
Intrusion Prevention Lists.
After completing the recommended scan and deletions,
Norton still reports attacks almost every few minutes -
Attempted Intrusion "HTTP ZBOT Activity" from your
machine against ygla.ru(200.56.243.137) was detected
and blocked.
Intruder: localhost(3456).
Risk Level: High.
Protocol: TCP.
Attacked IP: ygla.ru(200.56.243.137).
Attacked Port: http(80).
Attempted Intrusion "HTTP ZBOT Activity" from your
machine against vpsnl.co.cc(212.117.180.245) was
detected and blocked.
Intruder: localhost(3466).
Risk Level: High.
Protocol: TCP.
Attacked IP: vpsnl.co.cc(212.117.180.245).
Attacked Port: http(80).
Is there any way to stop these attacks? Norton blocks it
each time so I'm safe, but I don't know if the problem is
now somewhere in the Registry.
an email (Subject: none) from a mate that said happy
new year with a supposed e-greeting that had an .exe
attachment.
Upon activating the .exe from WE downloads folder, Peter
Norton went completely nuts but did block it using its
Intrusion Prevention Lists.
After completing the recommended scan and deletions,
Norton still reports attacks almost every few minutes -
Attempted Intrusion "HTTP ZBOT Activity" from your
machine against ygla.ru(200.56.243.137) was detected
and blocked.
Intruder: localhost(3456).
Risk Level: High.
Protocol: TCP.
Attacked IP: ygla.ru(200.56.243.137).
Attacked Port: http(80).
Attempted Intrusion "HTTP ZBOT Activity" from your
machine against vpsnl.co.cc(212.117.180.245) was
detected and blocked.
Intruder: localhost(3466).
Risk Level: High.
Protocol: TCP.
Attacked IP: vpsnl.co.cc(212.117.180.245).
Attacked Port: http(80).
Is there any way to stop these attacks? Norton blocks it
each time so I'm safe, but I don't know if the problem is
now somewhere in the Registry.
Joined: Jan 2008
Posts: 798
Likes: 0
From: The Land of Beer and Chocolate
You have a nasty keylogger installed on your PC.
Symantec (since that is their name for it) say to make sure your AV is up to date and do a full system scan to remove it.
Also, this seems to be the full removal method.
How to remove Zeus (Zbot) - Zeus (Zbot) Removal | Malware Help. Org
Symantec (since that is their name for it) say to make sure your AV is up to date and do a full system scan to remove it.
Also, this seems to be the full removal method.
How to remove Zeus (Zbot) - Zeus (Zbot) Removal | Malware Help. Org
Joined: Dec 2005
Posts: 1,694
Likes: 15
From: Wellington,NZ
That url (200.56.243.137) produces an immediate antivirus block when connection is attempted; the AV info describes it as a malicious attack site.
As hellsbrink said, you have a malicious program (keylogger, or whatever) installed on your machine now that is attempting to connect outbound. Fortunately blocked by your AV.
MBAM is a very good demand scanner/cleaner. That's what I'd do next.
As hellsbrink said, you have a malicious program (keylogger, or whatever) installed on your machine now that is attempting to connect outbound. Fortunately blocked by your AV.
MBAM is a very good demand scanner/cleaner. That's what I'd do next.
Thread Starter
Joined: Feb 1998
Aviation Qualifications: ATPL
Posts: 1,595
Likes: 0
From: Formerly of Nam
Thanks for that link hellsbrink.
Repeated scans by Norton, Housecall and Superantispyware
appeared to have removed all traces of it in System32 and
the Registry, but yep a single bloody embedded HKEY_USER
register mentioned in your link was the friggin culprit for the
repeated attacks. REGEDIT took care of that.
Thanks again mate. Much appreciated.
Yeh I got the same thing on a Whois check Tarq.
PS: bloke who sent me that email was thoroughly verbally
trashed. Twit didn't even know that his machine had more
bots than an empty-packeted smokers meeting......
Repeated scans by Norton, Housecall and Superantispyware
appeared to have removed all traces of it in System32 and
the Registry, but yep a single bloody embedded HKEY_USER
register mentioned in your link was the friggin culprit for the
repeated attacks. REGEDIT took care of that.
Thanks again mate. Much appreciated.
Yeh I got the same thing on a Whois check Tarq.
PS: bloke who sent me that email was thoroughly verbally
trashed. Twit didn't even know that his machine had more
bots than an empty-packeted smokers meeting......
