HTTP ZBOT activity
I was a bit of a silly bastard the other day when I opened
an email (Subject: none) from a mate that said happy new year with a supposed e-greeting that had an .exe attachment. Upon activating the .exe from WE downloads folder, Peter Norton went completely nuts but did block it using its Intrusion Prevention Lists. After completing the recommended scan and deletions, Norton still reports attacks almost every few minutes - Attempted Intrusion "HTTP ZBOT Activity" from your machine against ygla.ru(200.56.243.137) was detected and blocked. Intruder: localhost(3456). Risk Level: High. Protocol: TCP. Attacked IP: ygla.ru(200.56.243.137). Attacked Port: http(80). Attempted Intrusion "HTTP ZBOT Activity" from your machine against vpsnl.co.cc(212.117.180.245) was detected and blocked. Intruder: localhost(3466). Risk Level: High. Protocol: TCP. Attacked IP: vpsnl.co.cc(212.117.180.245). Attacked Port: http(80). Is there any way to stop these attacks? Norton blocks it each time so I'm safe, but I don't know if the problem is now somewhere in the Registry. |
You have a nasty keylogger installed on your PC.
Symantec (since that is their name for it) say to make sure your AV is up to date and do a full system scan to remove it. Also, this seems to be the full removal method. How to remove Zeus (Zbot) - Zeus (Zbot) Removal | Malware Help. Org |
That url (200.56.243.137) produces an immediate antivirus block when connection is attempted; the AV info describes it as a malicious attack site.
As hellsbrink said, you have a malicious program (keylogger, or whatever) installed on your machine now that is attempting to connect outbound. Fortunately blocked by your AV. MBAM is a very good demand scanner/cleaner. That's what I'd do next. |
Thanks for that link hellsbrink.
Repeated scans by Norton, Housecall and Superantispyware appeared to have removed all traces of it in System32 and the Registry, but yep a single bloody embedded HKEY_USER register mentioned in your link was the friggin culprit for the repeated attacks. REGEDIT took care of that. Thanks again mate. Much appreciated. :ok: Yeh I got the same thing on a Whois check Tarq. PS: bloke who sent me that email was thoroughly verbally trashed. Twit didn't even know that his machine had more bots than an empty-packeted smokers meeting......:* |
from sam spade
NS lookup 200.56.243.137 Canonicle name host112137.metrored.net.mx |
All times are GMT. The time now is 14:52. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.