Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

potential Zeus Trojan


  • Please log in to reply
23 replies to this topic

#1 tomneedshelp

tomneedshelp

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 01 September 2014 - 10:18 AM

Yesterday I contacted Comcast because of difficulty installing TV with my internet connection.  Finally got a technician who was helping and escallted the problem to a 'level one' technian.  Cell phone service is not good and I got disconneted.  A 'level two' technician called back took me to LogMeInRescue so he could analyze my system.  Zeus trojan was in the scan results. 
 
When I told this technician I was concerned about access to my computer he got angry and argumentative.  I disconnected.  Finally a Comcast spam phone number technician told me Comcast does not use LogMeInRescue, confirmed my concerns; and told me to have the computer checked.
 
So, here I am looking for help.
 
I ran Hijackthis hoping the log file can be a start.  I would appreciate any help.
 
Regards,
 
TC

Edited by Queen-Evie, 01 September 2014 - 10:28 AM.
moved from Windows 7 to the appropriate forum


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:16 PM

Posted 01 September 2014 - 11:14 AM

Hi tomneedshelp,
 
What program did the 'level two' technician run which found a zeus trojan in the results?
 
Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 01 September 2014 - 12:28 PM

Oh, don't I wish I'd written the program name down.  I'm afraid when it seemed real I deleted all and it's gone. 

 

I have the paid version of MalWareBytes and ran that first.  I'm also doing a system scan with bitdefender now. 

 

So far, nothing has turned up.

 

TC



#4 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 01 September 2014 - 02:51 PM

Contents of MBAM log file:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/1/2014
Scan Time: 3:43:46 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.01.08
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Tom

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 479767
Time Elapsed: 4 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#5 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 01 September 2014 - 06:22 PM

Will malwarebytes identify things like key loggers? Is it sufficient? Thanks, TC

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:16 PM

Posted 02 September 2014 - 05:06 AM

Hi tomneedshelp,
 
Lets run a few more scans to make sure nothing is hiding:
 
Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------

This scan can take a long time, so it is best done overnight or when you do not need the computer
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 02 September 2014 - 08:39 AM

Scans underway.  Will report back when done.

 

Thank you very much for your assistance.

 

Tom



#8 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 02 September 2014 - 05:10 PM

I had to leave the computer for a couple of hours; when I got back the progarm had shut down.  This is the log file.

 

Tom

 

Log file:

 

Emsisoft Emergency Kit - Version 9.0
Last update: 9/2/2014 9:24:46 AM
User account: Build-PC\Tom

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, E:\, F:\, G:\, H:\, I:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    9/2/2014 9:33:23 AM
Key: HKEY_USERS\S-1-5-21-301672993-3823531045-3313802037-1018\SOFTWARE\WAJAM     detected: Application.InstallAd (A)
Value: HKEY_USERS\S-1-5-21-301672993-3823531045-3313802037-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-301672993-3823531045-3313802037-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
Key: HKEY_USERS\.DEFAULT\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}     detected: Application.Win32.InstallAd (A)
Key: HKEY_USERS\S-1-5-20\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}     detected: Application.Win32.InstallAd (A)
Key: HKEY_USERS\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}     detected: Application.Win32.InstallAd (A)
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe     detected: Application.Win32.InstallTool (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-Alarm_Clock-ORG-10064069.exe     detected: Application.Win32.InstallAd (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-Easy_MP3_Alarm_Clock-ORG-10289316.exe     detected: Application.Win32.InstallAd (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-TimeLeft-ORG-10034817.exe     detected: Application.Win32.InstallAd (A)
H:\TomOnH\My Documents\OCZ-also64bit\SetupImgBurn_2.5.8.0.exe     detected: Application.Win32.InstallAd (A)

Scanned    531478
Found    11

Scan end:    9/2/2014 4:24:34 PM
Scan time:    6:51:11



#9 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 03 September 2014 - 06:42 AM

Last scan:

 

Emsisoft Emergency Kit - Version 9.0
Last update: 9/2/2014 10:44:23 PM
User account: Build-PC\Tom

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, E:\, F:\, G:\, H:\, I:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    9/2/2014 10:46:30 PM
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe     detected: Application.Win32.InstallTool (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-Alarm_Clock-ORG-10064069.exe     detected: Application.Win32.InstallAd (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-Easy_MP3_Alarm_Clock-ORG-10289316.exe     detected: Application.Win32.InstallAd (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-TimeLeft-ORG-10034817.exe     detected: Application.Win32.InstallAd (A)
H:\TomOnH\My Documents\OCZ-also64bit\SetupImgBurn_2.5.8.0.exe     detected: Application.Win32.InstallAd (A)

Scanned    532565
Found    5

Scan end:    9/3/2014 4:36:04 AM
Scan time:    5:49:34

H:\TomOnH\My Documents\OCZ-also64bit\SetupImgBurn_2.5.8.0.exe    Quarantined Application.Win32.InstallAd (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-TimeLeft-ORG-10034817.exe    Quarantined Application.Win32.InstallAd (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-Easy_MP3_Alarm_Clock-ORG-10289316.exe    Quarantined Application.Win32.InstallAd (A)
C:\Users\Tom\Desktop\Qs\AlarmsAndTimers\cbsidlm-cbsi213-Alarm_Clock-ORG-10064069.exe    Quarantined Application.Win32.InstallAd (A)
C:\Program Files (x86)\CheckPoint\Install\CUninstallerZA.exe    Quarantined Application.Win32.InstallTool (A)

Quarantined    5



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:16 PM

Posted 03 September 2014 - 08:01 AM

Hi tomneedshelp,

 

You forgot this scan:

This scan can take a long time, so it is best done overnight or when you do not need the computer

 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

The Emsisoft scan looks good though.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 03 September 2014 - 08:31 AM

I have bitdefender on this machine and I'm now trying to find how to disable it to run the online scanner.



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:16 PM

Posted 03 September 2014 - 08:41 AM

Hi tomneedshelp,

 

Try these instructions here.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 03 September 2014 - 08:46 AM

Just got it, thanks.

 

Tom



#14 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 03 September 2014 - 08:48 AM

Running scan now.



#15 tomneedshelp

tomneedshelp
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 04 September 2014 - 03:20 AM

Scan results:

 

 

C:\Program Files (x86)\CheckPoint\Install\zatb.exe    Win32/Toolbar.Montiera.I potentially unwanted application    deleted - quarantined
C:\Users\Tom\Desktop\spsetup126.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\Tom\Desktop\Qs\ccsetup416.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\Tom\Desktop\Qs\ErrorEND_Pro_Installer.exe    multiple threats    cleaned by deleting - quarantined
E:\BUILD0-PC\Backup Set 2013-04-28 190000\Backup Files 2013-04-28 190000\Backup files 28.zip    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
E:\BUILD0-PC\Backup Set 2013-05-05 195257\Backup Files 2013-05-05 195257\Backup files 31.zip    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
E:\BUILD0-PC\Backup Set 2013-05-19 211306\Backup Files 2013-05-19 211306\Backup files 31.zip    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
E:\BUILD0-PC\Backup Set 2013-05-19 233006\Backup Files 2013-05-19 233006\Backup files 31.zip    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
G:\ReInstallDloads\TotalRecorder\TotalRecorderEditor.exe    Win32/OpenCandy potentially unsafe application    deleted - quarantined
H:\fromCorsairFlashDrive\Paul\ccsetup313.exe    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
H:\TomOnH\Desktop\st\dfsetup212.exe    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
H:\TomOnH\My Documents\Utilities\Advanced_x64Components_v467.exe    Win32/DownWare.L potentially unwanted application    deleted - quarantined
H:\TomOnH\My Documents\Utilities\spamihilator\spamihilator-64-bit_setup.exe    a variant of Win32/InstallCore.MZ potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-01-14 173201\Backup Files 2012-01-16 075517\Backup files 1.zip    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-01-21 160606\Backup Files 2012-01-21 160606\Backup files 1.zip    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-01-21 160606\Backup Files 2012-01-21 160606\Backup files 2.zip    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-02-25 072859\Backup Files 2012-02-25 072859\Backup files 2.zip    Win32/Toolbar.Conduit potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-02-25 072859\Backup Files 2012-02-25 072859\Backup files 4.zip    Win32/Toolbar.Conduit potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-02-25 072859\Backup Files 2012-02-25 072859\Backup files 5.zip    Win32/Toolbar.Conduit.Y potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-02-25 072859\Backup Files 2012-02-25 072859\Backup files 6.zip    a variant of Win32/Toolbar.Conduit.P potentially unwanted application    deleted - quarantined
H:\WINDOWS7-0-PC\Backup Set 2012-02-25 072859\Backup Files 2012-02-25 072859\Backup files 8.zip    a variant of Win32/Toolbar.Conduit.B potentially unwanted application    deleted - quarantined
I:\Piano\Miscellaneous\Nicolas Chedeville - Le Printems ou Les Saisons Amusantes Les Eclairs de Musique. 2008 SACD (Sony PS3 Rip)\SACD softs\Pyramix\Merging_Technologies_Pyramix_Virtual_Studio_7.0.10_SP2_Build_11188.7z    Win32/HackTool.Crack.BJ potentially unsafe application    deleted - quarantined

 

 

Tom
 


Edited by tomneedshelp, 04 September 2014 - 03:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users