• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

My PC attacking itself!

Norton keeps telling me it has blocked an intrusion attempt. The IPS Alert Name is Trojan.zlob.Q. It gives the name and IPS of the attacking computer, which turns out to be my own. So is my PC attacking itself? It then invites me to run Norton Power Eraser, and it comes up with a file that is part of my Zara graphic program. Norton's own info says this file is perfectly safe. Norton also tells me that it has blocked a large amount of suspicious outgoing data. Power Eraser leads to the same apparently innocent file. Anyone know what's going on?

Replies

Kudos0

Re: My PC attacking itself!

Hello Steve Please use the (Windows OS) snipping tool to gather a screen shot from your Norton history and post here what exactly you are seeing. Here is how in case you do not know how:

https://community.norton.com/en/forums/how-post-image-forums-0  

Below is a sample screenshot of what we would need to see from your Norton security history. Under the Show area also please select "Firewall-Activities" and scroll to one of the instances where this detection took place. In the lower right corner in blue select "More Options" and open. Please get a screenshot of that and post here. Will help immensely.

Cheers

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Creators Update version 1703 build 15063.608 / NSBU 22.10.1.10 Traditional
Kudos0

Re: My PC attacking itself!

Norton Power Eraser will list all files that may be suspicious.  Files listed by NPE are possibly threats, but not necessarily so.  Zara graphics may be perfectly fine and unrelated to the IPS alerts.

Kudos0

Re: My PC attacking itself!

Dark magic.... On a serious note, nothing is wrong. As people mentioned, if the program has a marker of being potentially malicious, doesn't mean it is. Zara graphics might be a PUP, bundleware, something that is generally useless for most people and is bundled with other malicious programs. And no, your PC is not attacking itself, unsurprisingly, everything works as intended.

Kudos0

Re: My PC attacking itself!

All: Trojan.zlob.Q IS indeed a definite threat as it is a Windows "startup" malware. Targeting older operating systems primarily. Steve-Eddy, please carefully read the article in the link I have provided below. You may have already performed most or all of these suggestions however please redo them again. This Trojan is considered "low" on the threat level none the less should not be on your system.

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=22910

Removal instructions are here:

https://www.symantec.com/security_response/writeup.jsp?docid=2016-020300-4629-99&tabid=3

Zara graphics APPEARS as previously stated to be a legit program as well I would submit the files being detected to Norton to have them accessed as "false positive" and removed from the product detections listing.

Cheers

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Creators Update version 1703 build 15063.608 / NSBU 22.10.1.10 Traditional
Kudos0

Re: My PC attacking itself!

Hi SoulAsylum, thanks for the reply. I'm attaching the error report I get. I have actually now uninstalled my Xara graphics program, and am still getting these Norton Trojan reports, so Xara was not the culprit. When I run Power Eraser it now tells me it has found no problems. I could just tell it not to report anymore, but then it might miss a genuine problem (if there actually isn't one now!).

Kudos0

Re: My PC attacking itself!

Thanks for the info Steve. Here again is the proper way to post screenshots to the forums. It keeps everyone safe and shows in thread inside your comments:

https://community.norton.com/en/forums/how-post-image-forums-0

That report DOES indicate you are still infected and NPE did indeed block the threat. Check in your Norton dashboard under quarantine to see if its there and remove it if it has not already been removed.

Questions: What OS are you running?

Is BONCATH the internal name for YOUR computer? That is the attacking computer in your results. And is your country of origin Netherlands?  Whois for IP 81.171.14.67 traces to that location and is the attacking IP address.

Please download and run Malwarebytes and tell us what it finds with a screenshot. Get it here:

https://www.malwarebytes.com/

Cheers

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Creators Update version 1703 build 15063.608 / NSBU 22.10.1.10 Traditional
Kudos0

Re: My PC attacking itself!

SoulAsylum: That report DOES indicate you are still infected and NPE did indeed block the threat. Check in your Norton dashboard under quarantine to see if its there and remove it if it has not already been removed.

Respectfully curious.
Where do you see machine is infected and NPE blocked the threat?

Thanks

Kudos0

Re: My PC attacking itself!

bjm the pdf shows the Trojan as being blocked yet he states he is still getting these Trojan notifications after having ran NPE and emoving the previously offending program. An outside IP address 81.171.14.67:80 is being called to his system  therefore I think he has a hidden infection still. Or have I misinterpreted something?

Cheer

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Creators Update version 1703 build 15063.608 / NSBU 22.10.1.10 Traditional
Kudos0

Re: My PC attacking itself!

From this distance ....

An outside IP address is being called to his system therefore I think he has a hidden infection still.

sounds plausible although... 

NPE did indeed block the threat.

?

and calling out could be from legit program / browser extension albeit, unknown to user.

How often and when does user receive IPS Alert.


Product Update Announcements ~ IPS “Outbound Traffic Detected” alert.
https://community.norton.com/en/blogs/product-update-announcements/ips-outbound-traffic-detected-alert


We learn <here> that IPS prompts the 'Outbound Traffic Detected' dialog. 
Maybe, if you review 'Intrusion Protection' document <here> you'll garner an idea as to what item on your machine is generating the outbound traffic.  Presuming IPS is working properly. Note IPS detects by attack signatures. Norton is trying to alert you to suspicious network activity / traffic.  As posted earlier in this thread.  Maybe a browser add-on is promoting the traffic. 
Note:  Intrusion Prevention relies on an extensive list of attack signatures to detect and block suspicious network activity. In some cases, benign network activity can appear to be similar to an attack signature. You might receive repeated notifications about possible attacks. If you know that the attacks that trigger these notifications are safe, you can create an exclusion for the signature that matches the benign activity.

https://community.norton.com/en/comment/6589461#comment-6589461


Chat with Official Norton Support  ask for VPP team > Support will work with you to diagnose and remove malware. What is Norton Virus Protection Promise

FWIW ~ AS IS ~ YMMV

Kudos0

Re: My PC attacking itself!

Hi. OK, I see re the file upload. My Norton dashboard says the trojan file is quarantined and no further action is needed. Should I 'clear entries' to completely delete, or does clearing just refer to the history? I'm running the latest version of Windows 10. Boncath is my PC, but I'm in Wales, not the Netherlands. I've uploaded the Norton file and the Malwarebytes report (huge!) as two screenshots! What can you deduce? Thanks in advance, Steve

trojan_attack.jpg

Kudos0

Re: My PC attacking itself!

Steve-Eddy:  My Norton dashboard says the trojan file is quarantined and no further action is needed.

For information re event > from Norton pop-up > More Details > Copy to Clipboard and/or from Norton history > More Options > Copy to Clipboard > paste here.


I'm not DIY remediation fan.
Just me.  Just saying.  
Regards w Respect

Kudos0

Re: My PC attacking itself!

Steve remove all the entries in quarantine then reboot.

Cheers

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Creators Update version 1703 build 15063.608 / NSBU 22.10.1.10 Traditional
Kudos0

Re: My PC attacking itself!

Screenshot too small to see anything.

Based on the pdf attachment "Norton's report of an intrusion by my own computer" I see that a powershell script on your computer is accessing a hazardous website. For reason including but not limited to: downloading (more) malware, downloading commands from the attacker (aka "the bad guys") to control your computer, or sending stolen info from your computer (passwords, etc..).

Norton has blocked this specific incident. One cannot be sure what else is going on that Norton has not alerted on.

This computer needs to be THOROUGHLY checked for malware before you use it for anything remotely sensitive or important. After the computer is clean you should change all your passwords.

Kudos0

Re: My PC attacking itself!

@Steve-Eddy  Following up to see how you made out.

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Creators Update version 1703 build 15063.608 / NSBU 22.10.1.10 Traditional
Accepted Solution
Kudos0

Re: My PC attacking itself!

Doing a full scan and deleting what was in quarantine finally soved it. Thanks everyone who helped.

Kudos0

Re: My PC attacking itself!

You are most welcome!!

Cheers

"From DOS to Windows10 what a journey it has been" Windows 10 Professional x 64 Creators Update version 1703 build 15063.608 / NSBU 22.10.1.10 Traditional