How to get rid of ZeuS/Zbot -- my entire network infected!

[MJTuc]

Greetings,
I've been a Microsoft window shopper for almost 13 or so years and I'm very happy with my decision to pick up Linux.
Please bear with me on this..... My son while I was away allowed the Zeus virus to invade my entire network... I'm having a hard time getting rid of it and it even infiltrates Linux installs..

is it possible too overwrite ALL the Loops and Bus data that's already on my machine?? Right before I load Linux is their some command I can use with the loader below???
OR any ideas on how to get rid of it..I'm at my whits end and I kid you not... the individual that gives me the final solution that works WILL BE REWARDED!! You have my word..
HELP...

casper/vmlinuz file=/cdrom/preseed/inuxmiat.seed boot=casper initrd=/casper/initrd.lz

[xenopeek]

Updated your topic subject and moved it here. ZeuS/Zbot only targets Windows installs, it does not affect Linux. If you can detail what problem you have on your Linux install, others might be able to help with that. For help with your Windows computers and removing ZeuS/Zbot, see information provided by anti-virus companies. Like information from Symantec here: http://www.symantec.com/security_respon ... 16-3514-99

[MJTuc]

What your about to read will seem far fetched but it's ALL True.. I'm amazed myself.. I've looked around about a dozen or so Linux sites and I chose this one.. It seems that this site has some serious smarts and being a semi retired person form Windows I can bring a lot to you starting with this....

What I've learned over the past 5 months is that if the Zbot was on my windows system and you re-image to Linux; I realize and know its not the exactly "Zeus" anymore; however believe me when I say it mutates into some kind of Zeno-morph that wrecks havoc on Linux.. It sits in the Memory at around (00000000FFFFFFFF not sure exactly) as a binary coward and during the installation commands the installer to use the info off the loop backs and any PCI bus that's holds a charge.... If it can't access the Bios it creates a Hive and sits between your c-mos and BIOS chips systematically TWEAKING your hardware trying to convince you to into the BIOS...... It forces an install of the generic kernel, REMOVES ALL the media extras, LOADS ALL Bluetooth, Remote desktop, and Any/ALL protocol that has to do with Remote Takeovers.... If I don't change the root PASSWork right away, within an hour my SUDO powers are GONE...... It re-writes all my network protocol including removing all permissions of the Network manager so it's constantly bumping my connection off and on while it continuous to creates 6 to 15 listening beacons... and systematically destroys the integrity of the image..

>> You will not believe the the things this Sinister litter BA$%@%D does.. It's like Nano Technology.. I have a tons of notes and information that I've acquired over a LONG 5 months; including observation, interaction and trial and error.. Ive tried EVERY anti-virus, Mal-ware remover, ect, ect.... NONE touch it AT ALL IN windows... The variant that I have is one amazing little monster.. I've given up trying to kill it from windows because it's a lost cause.. However like I said it's not the AKA Zeus in Linux but assure you it COMPLETELY compromises your Linux Image.. And it all starts while loading... That's why I'm asking If ANYONE has had any experience with changing the loading commands to IGNORE any and ALL possible re-directs while OVERWRITING or Removing the Hives from the chips on the motherboard, RAM, and IT even infiltrates the power supply... McAfee, Semantic, Web-Root, Mal ware bytes and list goes on; NONE EVEN KNEW IT WAS THERE... >> If anyone's interested in batting this bastard head on; I'll be glad to send you Hard Drive that contains the Worm... But be VERY Careful...
>>> I have tons of files, scripts, that the Zeno-Morph has re-written in Linux.. I'll be glad to send anyone a Linux file/script of their choice so you can see in disbelief what goes on. <<<<
I'm ready to try and kill it with Linux so I'm open to Any of your input and I'll be glad to answer any Windows info.. ((I will Reward any individual that enlightens me with the resolution))
Good Luck, and thanks for listening..

[Masy]

Hi,

I dit a Nmap scan like this: sudo nmap 192.168.1*
and I found Zeus on the port 9090 on 3 addresses.

I use the old Firestarter and shut down port 9090 immediately. I Googled on Zeus and got results from a Zbot to a legal webserver.

Something is wrong. But I think it is a false positive. I did extern scans with Firestarter on and of.
(Firestarter turns red/blocks outgoing traffic on port 9090.)
The extern scans I did with:
http://www.pcflank.com/
https://www.grc.com/intro.htm

They al returned a green light. I can' t imagine that a Zbot always uses the same port. A Zbot should also generate network-traffic. If I close down all programms the led on my router indicate that there is no internet activity.

So I think something is wrong with Nmap. I use also the Clamtk anti-virus and the rkhunter. No alerts...
Howhever the working of Nmap is not normal and I'm going to search on/further.

All readers, install Nmap with:
sudo apt-get install nmap zenmap
Where Zenmap is the GUI-version of nmap.
And give a check with: sudo nmap 192.168.1.*
If You also find out Zeus on several ip-addresses whe can finger-point to Nmap or Zenmap...

Or not, then something is very, very wrong...
Malware within Linux-distributions?

I hope not.

Community: give us input, answers...

Greetings and love,

Marcel.

[Masy]

I turned off every app on my network (SmartTV, wifi-printer, GSM, tab and notebook)
Then I turned on the notebook and did a nmap with sudo nmap 192.168.1.*
No zeus at 9090. Then I put on every app once a time and dit a nmap everytime.

So I found out that 9090 zeus-admin is on my smarttv.
If I turn off my smarttv, the zeus message is gone.

So now I've to find out of that's normal on a smartTV...

Greetings,