View Full Version : W7 SP1 64-bit Trojan.Zbot Activity 15 reported by Norton 360

Running W7 SP1 64-bit. Norton 360 v (recently auto-updated) has started reporting multiple intrusion preventions, citing Trojan Zbot Activity 15. We've not used your website before but Norton Community thread 6145291 recommended this site, among others. We are retired software engineers, so we've been out of the loop for awhile, but we can follow technical directions and report back with great detail!

Can you help us getting this malware removed?

Greetings and http://www.bleepingcomputer.com/forums/public/style_emoticons/default/welcome.gif to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.

A few points to cover before we start:

Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
Make sure to read my instructions fully before attempting a step.
If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
Important information in my posts will often be in bold, make sure to take note of these.
I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
Let's get going now http://www.bleepingcomputer.com/forums/public/style_emoticons/default/thumbup2.gif

Hi Toffee - We followed your instructions and ran FRST from our Desktop. Below are the cut/pasted contents of the two log files you wanted in this reply. (We couldn't see a way to attach copies of the two files to this reply, but that's not what you asked for anyway! )

Note: In FRST.txt, under the heading "Files to Remove or Delete", we notice several SyncToy synchronization files listed. SyncToy uses these files for our nightly incremental backups to an external disk, so we do NOT want them moved or deleted.

Thanks for your help...

FRST.txt file contents:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-07-2015
Ran by BobnJane (administrator) on HP-AIO-200-QUAD on 09-07-2015 15:20:36
Running from C:\Users\BobnJane\Desktop
Loaded Profiles: BobnJane & UpdatusUser (Available Profiles: BobnJane & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)

Hi Toffee - We'll be unable to reply to any messages from you for about the next hour. Should be back online by 7/9 17:30 US Eastern Daylight

Hi Toffee - We see that you're 5 hours ahead of us, and perhaps you'll be reading this Friday am before we're even awake. So we wanted to give you this background:

About June 25, our Norton 360 auto-updated to v (presumably a Windows 10 - compatible version). The first time a scheduled full scan ran after that on June 28, we (and many other Norton customers) got dozens of false positives for heuristic viruses on some of our other W7-SP1 PC's. Many of these files were deleted and quarantined without even asking us. Since the GUI was new, we had to learn that at the same time we were trying figure out how to recover all our deleted files, etc, and eliminate the phantom "Action Required" popup screens. It turned out that if you had rebooted your machine between the v 22 installation and the first full scan, you were probably OK, but if not, Norton 360 often "detected" dozens, and in some cases hundreds, of false positive heuristic viruses.