PPRuNe Forums

PPRuNe Forums (https://www.pprune.org/)
-   Computer/Internet Issues & Troubleshooting (https://www.pprune.org/computer-internet-issues-troubleshooting-46/)
-   -   HTTP ZBOT activity (https://www.pprune.org/computer-internet-issues-troubleshooting/438260-http-zbot-activity.html)

Slasher 1st Jan 2011 23:34
HTTP ZBOT activity
 
I was a bit of a silly bastard the other day when I opened
an email (Subject: none) from a mate that said happy
new year with a supposed e-greeting that had an .exe
attachment.

Upon activating the .exe from WE downloads folder, Peter
Norton went completely nuts but did block it using its
Intrusion Prevention Lists.

After completing the recommended scan and deletions,
Norton still reports attacks almost every few minutes -

Attempted Intrusion "HTTP ZBOT Activity" from your
machine against ygla.ru(200.56.243.137) was detected
and blocked.
Intruder: localhost(3456).
Risk Level: High.
Protocol: TCP.
Attacked IP: ygla.ru(200.56.243.137).
Attacked Port: http(80).

Attempted Intrusion "HTTP ZBOT Activity" from your
machine against vpsnl.co.cc(212.117.180.245) was
detected and blocked.
Intruder: localhost(3466).
Risk Level: High.
Protocol: TCP.
Attacked IP: vpsnl.co.cc(212.117.180.245).
Attacked Port: http(80).

Is there any way to stop these attacks? Norton blocks it
each time so I'm safe, but I don't know if the problem is
now somewhere in the Registry.

hellsbrink 2nd Jan 2011 04:11
You have a nasty keylogger installed on your PC.

Symantec (since that is their name for it) say to make sure your AV is up to date and do a full system scan to remove it.

Also, this seems to be the full removal method.

How to remove Zeus (Zbot) - Zeus (Zbot) Removal | Malware Help. Org

Tarq57 2nd Jan 2011 09:49
That url (200.56.243.137) produces an immediate antivirus block when connection is attempted; the AV info describes it as a malicious attack site.

As hellsbrink said, you have a malicious program (keylogger, or whatever) installed on your machine now that is attempting to connect outbound. Fortunately blocked by your AV.

MBAM is a very good demand scanner/cleaner. That's what I'd do next.

Slasher 2nd Jan 2011 09:58
Thanks for that link hellsbrink.

Repeated scans by Norton, Housecall and Superantispyware
appeared to have removed all traces of it in System32 and
the Registry, but yep a single bloody embedded HKEY_USER
register mentioned in your link was the friggin culprit for the
repeated attacks. REGEDIT took care of that.

Thanks again mate. Much appreciated. :ok:

Yeh I got the same thing on a Whois check Tarq.

PS: bloke who sent me that email was thoroughly verbally
trashed. Twit didn't even know that his machine had more
bots than an empty-packeted smokers meeting......:*

green granite 2nd Jan 2011 10:34
from sam spade
NS lookup 200.56.243.137
Canonicle name host112137.metrored.net.mx


All times are GMT. The time now is 14:52.


Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.