Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Kaspersky unhooked functions = sign of an infection?

  • Please log in to reply
1 reply to this topic

#1 Barry3426


  • Members
  • 1 posts
  • Local time:05:40 AM

Posted 30 August 2013 - 08:48 AM

Hi, my IP address got flagged in cbl.abuseat.org.

This IP address is infected with, or is NATting for a machine infected with the ZeuS trojan, also known as "Zbot" and "WSNPoem".


I had a guest with a computer staying at the time who was signed onto my router, so I don't know if I am affected. Even if I was, I have a couple of computers, so I don't know which one.


I feel i am unlikely to be infected, but so does my guest (since gone).


We both run current McAfee on Win7 & 8 computers, and are long time computer users, and are cautious in our habits. We have both since scanned with McAfee and Safety Scanner from Microsoft, and have found no infection.


I ran ZbotKiller from Kaspersky, which finds no infection, but does list a couple of "unhooked functions".


I get something similar to what is quoted at the bottom after each reboot. I run it again, and all is clean, but the "problem" reoccurs after a fresh reboot.


My questions are:

  1. Is the removal of unhooked functions just the removal of a vunerability, or is it an indication that I do in fact have a trojan?
  2. Is the flagging of my IP address a sure sign that there is a trojan somewhere, or are there false positives?
  3. If I have this infection is McAfee or Microsoft Safety Scanner going to detect them? I have an account with McAfee but their 1st level support won't or can't answer this. At this stage the only option seems to proceed to their $90 service, which I fear may be more snake oil.
  4. The incident happened when everybody asleep. Is it possible that if there is an infection that it is on a Android device connected to my WiFi (there were several).
  5. Can I narrow the incident to a specific computer or mobile device. The message against my incident said that the device with the virus was on port 33440, does this rule out either a Windows or Andriod device. Unfortunately the router has been rebooted, so I have no log there.

Any clue as to what I should do? Thanks for any advice.


Spliced function LdrLoadDll in ntdll.dll module of process with PID 2392:
17:16:22:916 9212    Origin data: 8B FF 55 8B EC 83 EC 0C F6 05
17:16:22:916 9212    Spliced data: E9 F0 94 BE 89 83 EC 0C F6 05
17:16:22:917 9212    Fixed
Spliced function CreateProcessAsUserA in advapi32.dll module of process with PID 2056:
17:16:24:508 9212    Origin data: 8B FF 55 8B EC 6A 00 FF 75 30
17:16:24:508 9212    Spliced data: E9 C1 99 E3 FE 6A 00 FF 75 30
17:16:24:508 9212    Fixed
17:16:24:508 9212    Spliced function CreateProcessAsUserW in advapi32.dll module of process with PID 2056:
17:16:24:508 9212    Origin data: 8B FF 55 8B EC 5D FF 25 14 24
17:16:24:508 9212    Spliced data: E9 3D 80 E3 FE 5D FF 25 14 24
17:16:24:508 9212    Fixed
17:16:25:616 9212    Infected files:            0
17:16:25:616 9212    Infected threads:        0
17:16:25:616 9212    Unhooked functions:        3
17:16:25:616 9212    Deleted files:            0
17:16:25:616 9212    Fixed registry keys:        0








BC AdBot (Login to Remove)


#2 MzLindyOne


  • Members
  • 83 posts
  • Gender:Female
  • Local time:03:40 PM

Posted 06 September 2013 - 07:00 AM

Since no one has taken this up in 6 days, I'll give it a shot.  Really there are too many variables to say anything for sure.


The CBL page itself states that the process is automatic.  As such, there can be false positives.  We don't know what any timestamps mean - it could be when the detection information was processed at the CBL, when it was listed, or anything else - the middle of the night doesn't mean a thing.  Since presumably the notice you got was from your Service Provider, unless you have a fixed IP (for running a domain server), even they can't say "your IP" and at least 8 people probably got the same notice.  You could talk to your provider for that information.


Unfortunately, there is very little detailed information on ZBotKiller, but to remain effective it must rely to some extent on heuristic detection.  Because a) many legitimate programs install such hooks, and B) they were the only detection, my qualified judgement would be "false positive" on that machine.


As long as your definitions and engine are up-to-date, it seems to be running correctly, and you have no other programs running active scans, McAfee should be detecting if Zbot is there.  You should occasionally run a full scan and not rely entirely on real-time protection. 


Mobile devices can certainly be infected, but I haven't found anything of this particular trojan on those devices.  That said, there are always new versions and somebody has to be the first infectee, so there is no such thing as "that can't happen."  There are anti-malware programs for those devices, that can generally be purchased as part of your antivirus package.


Have you tried TDSSKiller and Malwarebytes Anti-Rootkit and ESET Online Scanner if only for your own peace of mind?  All this applies as well to your other machine and your friend's.


I'd like to hear what you were able to find out, if anything.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users