I have been getting emails with Trojan.Zbot attached. This is to be expected - I get tons of spam. Norton detects them, and deletes them, sending the attachments to the recycle bin.
Sometime later (could be hours later), when I'm not even at my computer, the Trojan installer is run from the recycle bin. I don't know what causes this. But I know it ran, because Norton AutoProtect detects that I'm now infected, and wants to reboot my computer to clean the infection. Below is a sample from the quarantine report, showing the infector in the recycle bin, and the infected system cleanup.
Why is Norton allowing the infector to run? What might be triggering the infector to run? I did a search for registry entries associated with Trojan.Zbot and couldn't find any (after AutoProtect cleaned the registry).
Is there a Norton setting I should change to prevent infectors from running from within the recycle bin?
This has happened twice recently. Once was a fluke. Twice is a real concern.
Antivirus version is 20.4.0.40, and Live Update says I'm up-to-date.
There is a simple answer to this, (although one item is a worry). I do know the answer loloking at it.
I will not give the answer to this, I am leaving it to others to answer, Ones who would not leave the area alone, so I will not deal with any of it here. The forum is too dangerous and I will not be apart of the goings on here at all.
It doesn't sound to me that malware removal is working fine. Quads ?
Do not ask me when that is like a double standard to what has gone on, Say you can all do things on one hand but then can even see the simple stuff for this area on the other. So you guys can deal with threads.
All want to give stick, but still want the knowledge (opinion) NO!!! test the problem yourselves and get the data.
The answer was worked out in 2009 so it is not new.
You guys as a group shut that down, As I am sick of fighting the group and continuing to say stay out of what you (any user) do not understand over and over and over. Like trying to keep the children out, and the backlash from that.
My knowledge, data and testing also leaves with that as a side effect.
Symantec and other upper level testers etc. do get my help and that continues so I am still busy but it is away from the public board.
Why is Norton allowing the infector to run? What might be triggering the infector to run? I did a search for registry entries associated with Trojan.Zbot and couldn't find any (after AutoProtect cleaned the registry).
Is there a Norton setting I should change to prevent infectors from running from within the recycle bin?
I don't have the technical expertise to tell you why Norton is allowing the Trojan.Zbot infection to run from your recycle bin, but I would strongly advise that you post in one of the reputable malware removal boards suggested by F4E in message # 2 to help you clean the remnants of this infection off your system. I've used the WhatTheTech Virus, Spyware & Malware Removal board myself and was very impressed with the level of service they provided. The Malware Discussion board in the Norton community was closed earlier this month and Kelly's thread here in that board might provide some additional insight as to why our own malware removal board was shut down.
The default protection settings for NIS are usually optimal for most systems, but I would suggest that you change your boot time protection (Settings | Computer | Real Time Protection | Enable Boot Time Protection) from OFF to AGGRESIVE to help prevent future infections. This might increase your boot time slightly but it provides maximum protection when you start your system, as noted here .
Running more than one anitvirus program in real time protection mode can also decrease the efficiency of your Norton protection - see here for more info. I let NIS handle all my real time protection, but I also run the occasional scan with Malwarebytes Anti-Malware just to ensure my system isn't infected with malware that might have slipped past my Norton protection.
------------ MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
I don't know what kinds of issues may have happened in the past with this board.
As an end-user coming to the Norton Community in hopes of getting some support, I had hopes that some user out there would know the answer. I'm happy to find out someone indeed does know. I confess I can't understand the utility of withholding the answer. It's only frustrating.
As to the issue of whether my virus removal is successful, I verified that both with yet another virus scanner (Trend Micro House Call, which claims to specifically remove all Zbot variants) and by manually inspecting known locations the Zbot virus infects. Also, the computer gets scanned by Microsoft's Malicious Software Removal Tool every time that tool gets updated, and it has never reported a problem. So that's 3 opinions that the computer is virus-free (counting Norton). The computer still gets reinfected a week or two later, and the only vector I can see is the infected file in the Recycle Bin.
As far as consulting other virus resources, I did that before posting here.
I have always had Boot Time Protection set to Aggressive.
The other malware sites aren't of any help, because there aren't any traces of infection left on the computer now. There won't be until the next time I fetch an email with Zbot in it.
For now, I've disabled the recycle bin on the drive where the email client runs.
The other malware sites aren't of any help, because there aren't any traces of infection left on the computer now. There won't be until the next time I fetch an email with Zbot in it.
For now, I've disabled the recycle bin on the drive where the email client runs.
Hi hspindel:
Please read prr's thread here titled Infection with Spyware.zbot in Malwarebytes' Malware Removal Help forum. I'd still suggest that you post in a malware removal forum and let an expert review your diagnostic logs to ensure that all traces of the infection have been wiped off your system. Better safe than sorry.
Symantec has posted some generic best practices here on the Removal tab of the technical summary for Trojan.Zbot with suggestions to reduce the risk of infection, which includes disabling the Windows Autorun feature. ------------ MS Windows Vista Home Premium 32-bit SP2 * Firefox 25.0.1 * IE 9.0 * NIS 2013 v. 20.4.0.40 * MBAM PRO 1.75.0.1300 HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
Okay, I'll try one of the other forums. Still think the problem is re-infection from a new attack, not a lingering remnant.
I always have Autorun disabled.
Hi,
I don't doubt that there are re-infections but I would also suspect that it might be easier now because a bit of trash has been left in your system which identifies it as one that can be infected [think a backdoor]
Having a trained specialist review your logs will help you be sure that the backdoors are closed and you are as safe as possible.
Please do not run more than one active security scanner at a time. They tend to conflict and may actually reduce your level of protection.
Regardless of which of the free sites you choose, please stay with the specialist that first helps you. Trying to work two sites or more than one specialist, they are all volunteers, can result in a complete withdrawal of assistance.
I have been getting emails with Trojan.Zbot attached. This is to be expected - I get tons of spam. Norton detects them, and deletes them, sending the attachments to the recycle bin.
Sometime later (could be hours later), when I'm not even at my computer, the Trojan installer is run from the recycle bin. I don't know what causes this. But I know it ran, because Norton AutoProtect detects that I'm now infected, and wants to reboot my computer to clean the infection. Below is a sample from the quarantine report, showing the infector in the recycle bin, and the infected system cleanup.
Why is Norton allowing the infector to run? What might be triggering the infector to run? I did a search for registry entries associated with Trojan.Zbot and couldn't find any (after AutoProtect cleaned the registry).
Is there a Norton setting I should change to prevent infectors from running from within the recycle bin?
This has happened twice recently. Once was a fluke. Twice is a real concern.
Antivirus version is 20.4.0.40, and Live Update says I'm up-to-date.