Hi, my IP address got flagged in cbl.abuseat.org.
This IP address is infected with, or is NATting for a machine infected with the ZeuS trojan, also known as "Zbot" and "WSNPoem".
I had a guest with a computer staying at the time who was signed onto my router, so I don't know if I am affected. Even if I was, I have a couple of computers, so I don't know which one.
I feel i am unlikely to be infected, but so does my guest (since gone).
We both run current McAfee on Win7 & 8 computers, and are long time computer users, and are cautious in our habits. We have both since scanned with McAfee and Safety Scanner from Microsoft, and have found no infection.
I ran ZbotKiller from Kaspersky, which finds no infection, but does list a couple of "unhooked functions".
I get something similar to what is quoted at the bottom after each reboot. I run it again, and all is clean, but the "problem" reoccurs after a fresh reboot.
My questions are:
- Is the removal of unhooked functions just the removal of a vunerability, or is it an indication that I do in fact have a trojan?
- Is the flagging of my IP address a sure sign that there is a trojan somewhere, or are there false positives?
- If I have this infection is McAfee or Microsoft Safety Scanner going to detect them? I have an account with McAfee but their 1st level support won't or can't answer this. At this stage the only option seems to proceed to their $90 service, which I fear may be more snake oil.
- The incident happened when everybody asleep. Is it possible that if there is an infection that it is on a Android device connected to my WiFi (there were several).
- Can I narrow the incident to a specific computer or mobile device. The message against my incident said that the device with the virus was on port 33440, does this rule out either a Windows or Andriod device. Unfortunately the router has been rebooted, so I have no log there.
Any clue as to what I should do? Thanks for any advice.
Spliced function LdrLoadDll in ntdll.dll module of process with PID 2392:
17:16:22:916 9212 Origin data: 8B FF 55 8B EC 83 EC 0C F6 05
17:16:22:916 9212 Spliced data: E9 F0 94 BE 89 83 EC 0C F6 05
17:16:22:917 9212 Fixed
Spliced function CreateProcessAsUserA in advapi32.dll module of process with PID 2056:
17:16:24:508 9212 Origin data: 8B FF 55 8B EC 6A 00 FF 75 30
17:16:24:508 9212 Spliced data: E9 C1 99 E3 FE 6A 00 FF 75 30
17:16:24:508 9212 Fixed
17:16:24:508 9212 Spliced function CreateProcessAsUserW in advapi32.dll module of process with PID 2056:
17:16:24:508 9212 Origin data: 8B FF 55 8B EC 5D FF 25 14 24
17:16:24:508 9212 Spliced data: E9 3D 80 E3 FE 5D FF 25 14 24
17:16:24:508 9212 Fixed
17:16:25:616 9212 Infected files: 0
17:16:25:616 9212 Infected threads: 0
17:16:25:616 9212 Unhooked functions: 3
17:16:25:616 9212 Deleted files: 0
17:16:25:616 9212 Fixed registry keys: 0