Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ISP email says I have Zbot/Zeus


  • This topic is locked This topic is locked
10 replies to this topic

#1 Pcmaker

Pcmaker

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 30 June 2017 - 05:08 PM

So, I received this email from my ISP, Cox communations

 

 

Dear Subscriber,

Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot.
While this malicious software is not new, it still poses a great risk to your computer and files that reside on your hard drive.

Zeus malware uses keylogging in order to access user names and passwords and infected over 13 million computers worldwide.

We recommend you take the following action:

1. Visit the Microsoft or Symantec website, download and run the FREE removal tool:

http://www.microsoft.com/security/scanner/

http://www.symantec.com/security_response/writeup.jsp?docid=2014-052915-1402-99

After running the free Microsoft removal tool, if you already have security software installed on your system:
2)  Follow your security software's instructions to download the latest updates (also known as "virus definitions")
3)  When the new definitions have been loaded, perform a full virus scan on your system.

Cox Security Suite Plus powered by McAfee is included FREE with your Cox High Speed Internet service.  This software can be used to help protect up-to 5  devices in your home, including Windows and Mac OS computers, and Android and Apple tablets and smartphones.
To get started, simply browse to www.cox.com/securitysuite and login with your Cox primary User ID and Password.
If you already have an Anti-virus solution installed, you should refer to your software manual before installing the Cox Security Suite.

If you have any questions regarding this matter, please call us at 800-753-6085 and provide the reference number provided in the subject of this email.

If you would like additional information on the Zeus botnet we recommend these articles:

http://www.us-cert.gov/ncas/alerts/TA14-150A

https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fZbot


Regards,

Cox Customer Safety

 

I scanned my PC, which runs Windows 7 with Spybot, Malwarebytes, and CCleaner. I also scanned with FixNecurs64bit and Malwarebytes' rootkit scanner.

 

All these programs didn't find anything.

 

I scanned with HiJackthis and this is the log:

 

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 3:07:36 PM, on 6/30/2017
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17937)

FIREFOX: 53.0.3 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\TeamViewer\TeamViewer.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Windows\SysWOW64\HsMgr.exe
C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\ASUS Xonar DX Audio\Customapp\ASUSAUDIOCENTER.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft® MMO Gaming Mouse Legendary Edition\WoWMHID4.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe
C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft® MMO Gaming Mouse Legendary Edition\WoWMTray4.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMTray2.exe
C:\Program Files\Common Files\LogiShrd\sp6\LU1\LULnchr.exe
C:\Program Files\Common Files\LogiShrd\sp6\LU1\LogitechUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\World of Warcraft\World of Warcraft Launcher.exe
C:\Users\pcmaker\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-74b3bfb3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~2\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Logitech SetPoint - {AF949550-9094-4807-95EC-D1C317803333} - C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SteelSeries World of Warcraft® MMO Gaming Mouse Legendary Edition] "C:\Program Files (x86)\SteelSeries\World of Warcraft® MMO Gaming Mouse Legendary Edition\WoWMHID4.exe"
O4 - HKLM\..\Run: [SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse] "C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe"
O4 - HKLM\..\Run: [IJNetworkScannerSelectorEX] C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [Wisdom-soft AutoScreenRecorder 3.1 Free] 0
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SPReview] "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~2\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASUS Com Service (asComSvc) - Unknown owner - C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
O23 - Service: ASDiskUnlocker - ASUSTeK Computer Inc. - C:\Program Files (x86)\ASUSTek Computer Inc\Disk Unlocker\ASPFSVS64.exe
O23 - Service: DTSAudioSvc - DTS, Inc - C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Foxit Cloud Safe Update Service (FoxitCloudUpdateService) - Foxit Software Inc. - C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
O23 - Service: NVIDIA GeForce Experience Service (GfExperienceService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Network Service (NvNetworkService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
O23 - Service: NVIDIA Streamer Network Service (NvStreamNetworkSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
O23 - Service: NVIDIA Streamer Service (NvStreamSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: Origin Client Service - Electronic Arts - C:\Program Files (x86)\Origin\OriginClientService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Roxio Burn Launcher (RoxioBurnLauncher) - Unknown owner - C:\Program Files (x86)\Roxio Creator NXT 2\Roxio Burn\RoxioBurnLauncher.exe
O23 - Service: RoxMediaDB15 - Corel Corporation - C:\Program Files (x86)\Roxio Creator NXT 2\Common\RoxMediaDB15.exe
O23 - Service: Roxio Hard Drive Watcher 15 (RoxWatch15) - Corel Corporation - C:\Program Files (x86)\Roxio Creator NXT 2\Common\RoxWatch15.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Riverbed Technology, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Seagate Scheduler2 Service (SgtSch2Svc) - Seagate - C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvscpapisvr.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TeamViewer 10 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Update service - Popcorn Time - C:\Program Files (x86)\Popcorn Time\Updater.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12212 bytes
 

 

Is there anything on the Hijackthis log that stands out?



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:13 AM

Posted 01 July 2017 - 11:10 AM

Pcmaker:
 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I would ask that you please copy and paste the contents of all requested log files directly into your replies.  I know that the instructions do say to attach the "Addition.txt" file, but it is much faster for me to analyze the logs when that are copied and pasted into your replies.  Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:
  • I am a Bleeping Computer volunteer, so I ask you to be patient.  I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message.  Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post.  After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear."  Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed.  Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware.  It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed.  Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy.  Evidence of  illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended.  Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled.  P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me.  Together, we can, hopefully, disinfect your computer and get if functioning properly again.  That is my only aim.
.
 
OK, let's get started ...
 
:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.
Don't forget to re-enable your antivirus when finished!

.

:step2: Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
  • Note 2: When FRST is run, it also generates another log (Addition.txt - also located in the same directory the tool was run from). Please also copy and paste that, along with the FRST.txt, into your next reply.
.

Thank you and have a great day.

Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#3 Pcmaker

Pcmaker
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 02 July 2017 - 09:09 AM

it found some that my other anti virus programs didn't find, but it didn't see a zbot/zeus virus. I wonder if I really do have it

 

 

C:\Program Files (x86)\Dishonored\Binaries\Win32\steam_api.dll    a variant of Win32/HackTool.Crack.BL potentially unsafe application    cleaned by deleting
C:\Program Files (x86)\dzrepack\Dragon Age Inquisition\3dmgame.dll    a variant of Win32/Packed.VMProtect.AAA trojan    cleaned by deleting
C:\Program Files (x86)\Kazaa Lite\TopSearch.dll    Win32/Adware.Altnet application    cleaned by deleting
C:\Program Files (x86)\Wisdom-soft AutoScreenRecorder 3 Free\AskInstallChecker.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    cleaned by deleting
C:\Users\pcmaker\AppData\Roaming\uTorrent\uTorrent.exe    a variant of Win32/AdkDLLWrapper.A potentially unwanted application    cleaned by deleting
C:\Users\pcmaker\AppData\Roaming\uTorrent\updates\3.3.1_30017.exe    a variant of Win32/AdkDLLWrapper.A potentially unwanted application    cleaned by deleting
C:\Users\pcmaker\Documents\ROXIO.CREATOR.2012.PRO-MAGNiTUDE\m-rc2012.iso    a variant of Win32/Packed.VMProtect.AAD trojan    deleted
C:\Users\pcmaker\Documents\Windows 7 Ultimate Sp1 x64 En-Us ESD Oct2016 Pre-Activated=-TEAM OS=-\Win_7_ Ultimate_ Sp1_ En-Us_Oct_ 2016_ x64.iso    Win32/HackTool.WinActivator.I potentially unsafe application    deleted
C:\Users\pcmaker\Documents\Windows 7 Ultimate Sp1 x86 En-Us ESD Oct2016 Pre-Activated=-TEAM OS=-\Win_7_ Ultimate_ Sp1_ En-Us_Oct_ 2016_ x86.iso    Win32/HackTool.WinActivator.I potentially unsafe application    deleted
C:\Users\pcmaker\Downloads\MiniTool Partition Wizard Professional Edition 8.1.1+Keygen {AmanPC}\Keygen\KeyGen.exe    Win32/Keygen.KH potentially unsafe application    cleaned by deleting
E:\Documents\ROXIO.CREATOR.2012.PRO-MAGNiTUDE\m-rc2012.iso    a variant of Win32/Packed.VMProtect.AAD trojan    deleted
E:\Documents\Windows 7 Ultimate Sp1 x64 En-Us ESD Oct2016 Pre-Activated=-TEAM OS=-\Win_7_ Ultimate_ Sp1_ En-Us_Oct_ 2016_ x64.iso    Win32/HackTool.WinActivator.I potentially unsafe application    deleted
 



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:13 AM

Posted 02 July 2017 - 11:32 AM

Pcmaker:
 
Thank you for the ESET Online Scanner log.  In future, please do not use quote or code boxes as it reduces the font size.  Please copy and paste all requested logs directly into your replies.
 
At this point in time, I cannot state with any certainty whether you have the reported zbot/zeus virus.
 
.
 
:step1: ckscanner.jpg Scan with CKScanner

Download CKScanner by askey127 and save it to your desktop.

  • Right-click on ckscanner.jpg icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • click Search For Files.
  • When finished, click Save List To File.
  • Remember to run this tool once only, if not asked to run it again.

Please copy and paste the content of CKFiles.txt into your next reply.

.

:step2: Please run a FRST scan, as previously requested. Please copy and paste the contents of both the "FRST.txt" and "Addition.txt" scan logs into your next reply, or replies. Sometimes, if the logs are large, you have to post them individually.

 

.

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 Pcmaker

Pcmaker
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 03 July 2017 - 06:33 AM

It only gives me 1 .txt file named ckfiles.txt

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\dishonored\dishonoredgame\dlc\pcconsole\dlc07\ui_tuto_crackedcharms_sf.upk
c:\program files (x86)\dishonored\dishonoredgame\localization\int\dlc07_pckp_crackedbonecharms.int
c:\users\pcmaker\documents\adobe cs5\adobe photoshop cs5 extended\crack\adbe_crack - 32bit.rar
c:\users\pcmaker\documents\adobe cs5\adobe photoshop cs5 extended\crack\adbe_crack - 64bit.rar
c:\users\pcmaker\documents\adobe cs5\adobe photoshop cs5 extended\crack\apcs5 - crack read me.txt
c:\users\pcmaker\documents\adobe cs5\adobe photoshop cs5 extended\crack\adbe_crack - 32bit\amtlib.dll
c:\users\pcmaker\documents\importante\dfx 6.008 winamp (+crack).exe
c:\users\pcmaker\documents\importante\thecrack.htm
c:\users\pcmaker\documents\tanan\konfabulator.v1.8.incl.crack.team.lucid.rar
c:\users\pcmaker\documents\tanan\winzip.9.0.+.keygen.rar
c:\users\pcmaker\documents\vso convertxtodvd 5.3.0.3 final + crack + key [karanpc]\crack.rar
c:\users\pcmaker\documents\vso convertxtodvd 5.3.0.3 final + crack + key [karanpc]\instruction.txt
c:\users\pcmaker\documents\vso convertxtodvd 5.3.0.3 final + crack + key [karanpc]\key.txt
c:\users\pcmaker\documents\vso convertxtodvd 5.3.0.3 final + crack + key [karanpc]\thumbs.db
c:\users\pcmaker\documents\vso convertxtodvd 5.3.0.3 final + crack + key [karanpc]\vsoconvertxtodvd5_setup.exe
c:\users\pcmaker\documents\winamp 5.0.5  i  dfx 7.010 plugin\dfx plugins v6.x.x generic universal_crack.exe
c:\users\pcmaker\documents\winamp 5.0.5  i  dfx 7.010 plugin\dfx v7.010 generic crack.rar
c:\users\pcmaker\downloads\minitool partition wizard professional edition 8.1.1+keygen {amanpc}\install notes.txt
c:\users\pcmaker\downloads\minitool partition wizard professional edition 8.1.1+keygen {amanpc}\pwpe8.exe
scanner sequence 3.IJ.11.SJABM0
 ----- EOF -----
 



#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:13 AM

Posted 04 July 2017 - 12:21 PM

Pcmaker:

 

Thank you for the CKScanner log file.  Unfortunately you did not provide the FRST scans that I requested in this post, Step :step2:.

 

:step1: Unfortunately, in going over your CKScanner log, I see evidence of a software utility, or utilities, used to evade software licensing requirements for one or more programs. You might not be aware of this/these program(s), so I am NOT accusing you of knowingly installing this/these program(s) on your computer.

Bleeping Computer does not condone software piracy. Downloading and using such software, apart from being illegal by infringing on copyrights, is a MAJOR attack vector for malware. If you use such software, it is not a question of "IF" your computer will be infected, but only "WHEN", and by HOW MANY different variants of malware!

I am going to have to ask you to remove any and all software that you do not own, and to remove the software that is evading licensing requirements. If you are not aware of that software utility, or utilities, then you must agree, that as a part of my "fix" for your computer, I will remove/disable any, and all, such software, tasks, etc., designed to evade legal software licencing requirements that I detect in the scan logs.

If that is agreeable to you, then after you have uninstalled any illicit software, please run CKScanner scan for me again.

.


:step2: ckscanner.jpg Scan with CKScanner

Download CKScanner by askey127 and save it to your desktop.

  • Right-click on ckscanner.jpg icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • click Search For Files.
  • When finished, click Save List To File.
  • Remember to run this tool once only, if not asked to run it again.

Please copy and paste the content of CKFiles.txt into your next reply.

.


:step3: Please run a fresh FRST scan. Please copy and paste the contents of both the "FRST.txt" and "Addition.txt" scan logs into your next reply or replies.  Sometimes when the FRST logs are large, you have to post them in individual posts.

.

Thank you and have a great day.

Regards,
-Phil
 


Member of the Unified Network of Instructors and Trusted Eliminators


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:13 AM

Posted 07 July 2017 - 09:57 AM

Pcmaker:

 
Are you still there?  Do you still require assistance?  It has been three days since I last posted to you.
 
According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#8 Pcmaker

Pcmaker
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 07 July 2017 - 04:41 PM

Yeah, I'm getting no results. Thanks. I just thought it was weird my ISP sent me that email and also put a pop up on my chrome browser stating the same thing. I doubt I have anything.



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:13 AM

Posted 08 July 2017 - 12:35 PM

Pcmaker:

 

Do you have any other computer issues to be addressed?  If not, I will conclude your topic.

 

Please let me know.  Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#10 Pcmaker

Pcmaker
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 08 July 2017 - 04:37 PM

Nope. Lock 'er up.



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,648 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:13 AM

Posted 09 July 2017 - 05:54 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users