[Help] Got reported by ISP that I have Zeus Trojan in my internet activities

[longcong01]

Hi,

As title may have directly given you the hint, I'm experiencing some kind of virus called: Trojan Zeus.

How do I know? Here's a partial of one of many email the ISP has sent me:

"[2013-11-07 11:37:42] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-06 13:56:48] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-05 14:46:51] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-04 11:17:57] [14.201.233.226] Trojan: Zeus

 

It may be that your equipment has been compromised by a hacker or some
other malicious software has been installed onto your system. Please
obtain an up to date antivirus software and ensure that all your
machines are cleaned as a matter of urgency. If you fail to do so and
the malicious traffic persists, TPG may take steps to limit it by
suspending your service."

 

Please help me get rid of this virus.

 

So there are only 3 internet users in my home: me, and 2 sisters:

   - I have a computer.

   - My older sister has the Samsung galaxy s3 (she reads e-books from her phone though)

   - My younger sister has the ipad 4.

I don't know which one of these is the cause of the virus activities.

 

Best regards,

Allan.

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

• Double click on AdwCleaner.exe to run the tool.
  
• Vista/Windows 7/8 users right-click and select Run As Administrator
  
• Click on the Scan button.
  
• AdwCleaner will begin...be patient as the scan may take some time to complete.
  
• When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  
• Look over the log especially under Files/Folders for any program you want to save.
  
• If there's a program you want to save, just uncheck it from AdwCleaner.
  
• If you're not sure, post the log for review.
  
• If you're ready to clean it all up.....click the Clean button.
  
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  
• Copy and paste the contents of that logfile in your next reply.
  
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  
• To restore an item that has been deleted (if necessary):
  
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Kevin....

[longcong01]

Here's the report from Adwcleaner:

 

# AdwCleaner v3.011 - Report created 09/11/2013 at 21:32:34
# Updated 03/11/2013 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Allan - ALLAN-PC
# Running from : C:\Users\Allan\Downloads\Programs\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\eSupport.com
Folder Deleted : C:\Users\Allan\AppData\Local\eSupport.com
File Deleted : C:\Users\Allan\AppData\Local\Temp\Uninstall.exe

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720


-\\ Mozilla Firefox v25.0 (en-US)

[ File : C:\Users\Allan\AppData\Roaming\Mozilla\Firefox\Profiles\izgqur8w.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [1628 octets] - [09/11/2013 21:29:50]
AdwCleaner[s0].txt - [1563 octets] - [09/11/2013 21:32:34]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1623 octets] ##########
 

[longcong01]

Here's the Farbar Recovery Scan report (attachments)

Addition.txt

FRST.txt

[kevinf80]

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware,

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  Click Start
  
• When asked, allow the add/on to be installed
  Click Start
  
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings, ensure the options
  
• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  Click Scan
  
• wait for the virus definitions to be downloaded
  
• Wait for the scan to finish
  

 

When the scan is complete

 

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
  
• close program
  
• report to me that nothing was found
  

 

If threats were found

 

• click on "list of threats found"
  
• click on "export to text file" and save it as ESET SCAN and save to the desktop
  
• Click on back
  
• put a checkmark in "Uninstall application on close"
  
• click on finish
  

 

close program

 

copy and paste the report here

 

Post those logs, let me know if there are any remaining issues or concerns..

 

fixlist.txt

[longcong01]

Thanx for assisting me to this point.

Attachments are the required logs for the test runs.

 

I'd received another email from my ISP again about the activities of the virus, here's the partial content of the email (Note: I received this email 1 day before I run these test above):

 

 

[A summary of the last few complaints have been provided below:

[2013-11-09 20:35:40] [14.201.233.226] Trojan: Sality
[2013-11-09 20:35:40] [14.201.233.226] Trojan: Sality - Source Port :: 26058/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-07 14:49:35] [14.201.233.226] Trojan: Zeus
[2013-11-07 11:37:42] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com]

 

 

 

This time new trojan showed up. Please help me!

ESET SCAN.txt

Fixlog.txt

mbam-log-2013-11-11 (12-04-30).txt

[kevinf80]

The log from Malwarebytes is clean, ESET is showing nothing related to Sality (Nasty Infection) it does show some unwanted apps that are bundled with unwanted extras....

 

UNinstall FreeTime unless you trust it totally

 

Delete C:\Users\Allan\Downloads\Programs\FFSetup3.2.1.0_2.exe

 

Next,

 

Please download RogueKiller from here:

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

• Make sure to get the correct version for your system.
  
• Quit all running programs
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  
• Wait until Prescan has finished...
  
• The following EULA will appear, please select accept
   
  
   
  
• Ensure MBR scan, Check faked and AntiRootkit are checked
  
• Select Scan
   
  
   
  
• When the scan completes select Report, copy and paste that to your reply.
   
  
   
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  
  
   
  Let me see that log, also have you had any more info from your ISP?

[longcong01]

- Attaching is the RogueKiller report log.

 

- Following is the 2 recent email from my ISP:

 

     [Nov 11 at 3:23pm]:

 

 

 

RKreport0_S_11122013_200034.txt

[longcong01]

          [Nov 11 at 3:23pm]:

[2013-11-10 14:16:16] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-10 14:06:52] [14.201.233.226] Trojan: Sality - Source Port :: 25547/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-09 20:48:37] [14.201.233.226] Trojan: Zeus
[2013-11-09 20:35:40] [14.201.233.226] Trojan: Sality

 

          [Nov 12 at 1:16pm]:

[2013-11-11 10:32:40] [14.201.233.226] Trojan: Sality - Source Port :: 25546/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-10 14:18:09] [14.201.233.226] Trojan: Zeus
[2013-11-10 14:16:16] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-10 14:06:52] [14.201.233.226] Trojan: Sality

[kevinf80]

Log from RogueKiller is clean, no issues again... OK we do the following:

 

1. Very important: First disconnect your computers from the Internet.

2. Router Reset: Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into the small hole labeled Reset located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 30 seconds).

3. Reset the IP/DNS settings of your Internet connection on each computer connected:

• Go to Start -> Control Panel -> Double click on Network Connections.
• Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
• Select the General tab.
• Double click on Internet Protocol (TCP/IP). do both V4 and V6
  • Under General tab:
    • Select "Obtain an IP address automatically".
    • Select "Obtain DNS server address automatically".

 

• Click OK twice to save the settings.
• Reboot if you had to change any setting.

4. Flush the DNS cache:

• Click the Start logo in the bottom left corner of the screen
• Click on Run
• In the command window copy/paste the following:

ipconfig /flushdns

 

• Then hit enter.
• Exit the command window.

5. Reconnect: Once you have followed all the above steps you can reconnect your computer to the internet.

 

 

When the above is complete continue with the follow scan, this will also reset browsers to default setting, any important bookmarks should be back up...

 

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop.

Double click zip file and extract to your  Desktop:





you will now have 3 versions of the tool on the Desktop:




Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html[/url

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:





Copy and paste the following script from the code box and paste into the field.

emptyclsid;firefoxlook;FFdefaults;Chromelook;CHRdefaults;autoclean;iedefaults;filesrcm;startupall;silentrunners;

Select the "Run Script" tab. The following window will open:







Please be patient and do not use the PC when the scan is in progress.

When complete you maybe asked to re-boot your PC, if so please do



Post the produced log in your next reply…..
 

[longcong01]

- Zoek report log (attachment)

 

- Latest email from ISP on Nov 13 at 8:13am:

 

[2013-11-11 15:07:41] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-11 13:31:09] [14.201.233.226] Trojan: Sality
[2013-11-11 13:31:09] [14.201.233.226] Trojan: Sality - Source Port :: 10734/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-11 11:07:14] [14.201.233.226] Trojan: Zeus

zoek-results.txt

[kevinf80]

Did the new IP alert arrive before or after last procedure was run?

 

Next,

 

Please download aswMBR from here: http://files.avast.com/files/rootkit-scanner/aswmbr.exe ( 4.5MB ) save to your desktop.

 

• Double click the aswMBR.exe icon, and click Run.
  
• There will be a short delay before the next dialog box comes up.  Please just wait a minute or two.
  
• When asked if you'd like to “download the latest Avast! virus definitions", click Yes.
  
• Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  
• Click the Scan button to start the scan once the update has finished downloading
  
• On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.
  

 

Note: There will also be a file on your desktop named MBR.dat zip up that file and attach to your reply...

 

Kevin

[longcong01]

- aswMBR scan log:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-11-13 20:39:20
-----------------------------
20:39:20.592    OS Version: Windows x64 6.1.7601 Service Pack 1
20:39:20.592    Number of processors: 4 586 0x1E05
20:39:20.593    ComputerName: ALLAN-PC  UserName: Allan
20:39:23.499    Initialize success
20:43:32.882    AVAST engine defs: 13111200
20:43:43.662    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T1L0-a
20:43:43.662    Disk 0 Vendor: WDC_WD5000AAKX-00ERMA0 15.01H15 Size: 476940MB BusType: 3
20:43:43.662    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2
20:43:43.677    Disk 1 Vendor: WDC_WD15EARS-00S8B1 80.00A80 Size: 1430799MB BusType: 3
20:43:43.771    Disk 1 MBR read successfully
20:43:43.771    Disk 1 MBR scan
20:43:43.787    Disk 1 Windows 7 default MBR code
20:43:43.787    Disk 1 Partition 1 80 (A) 07    HPFS/NTFS NTFS       130700 MB offset 206848
20:43:43.802    Disk 1 Partition - 00     0F Extended LBA           1299996 MB offset 267881040
20:43:43.865    Disk 1 Partition 2 00     07    HPFS/NTFS NTFS       599993 MB offset 267881103
20:43:43.865    Disk 1 Partition - 00     05     Extended            700000 MB offset 1496674241
20:43:43.896    Disk 1 Partition 3 00     07    HPFS/NTFS NTFS       700000 MB offset 1496674304
20:43:43.927    Disk 1 scanning C:\Windows\system32\drivers
20:43:50.573    Service scanning
20:44:11.461    Modules scanning
20:44:11.461    Disk 1 trace - called modules:
20:44:11.477    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
20:44:11.492    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa800781f060]
20:44:11.492    3 CLASSPNP.SYS[fffff8800180143f] -> nt!IofCallDriver -> [0xfffffa80075e7520]
20:44:11.508    5 ACPI.sys[fffff88000e1b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80075d9680]
20:44:12.444    AVAST engine scan C:\Windows
20:44:14.004    AVAST engine scan C:\Windows\system32
20:46:39.505    AVAST engine scan C:\Windows\system32\drivers
20:46:47.258    AVAST engine scan C:\Users\Allan
20:48:03.496    AVAST engine scan C:\ProgramData
20:48:30.640    Scan finished successfully
20:49:49.982    Disk 1 MBR has been saved successfully to "C:\Users\Allan\Desktop\MBR.dat"
20:49:49.997    The log file has been saved successfully to "C:\Users\Allan\Desktop\aswMBR.txt"

- the email that you mentioned above was received BEFOREI ran that particular procedure

 

-here's the new one (received after I ran the procedure in post #10 - the zoek, but before the procedure in post #12)

 

[2013-11-12 18:04:31] [14.201.233.226] Trojan: Sality - Source Port :: 18486/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-12 14:47:19] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-12 09:53:19] [14.201.233.226] Trojan: Sality - Source Port :: 11091/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-11 15:07:41] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com

[longcong01]

sorry, here's the MBR.dat file

MBR.rar

[kevinf80]

Still clean logs are produced, ok run the following:

 

Download Junkware Removal tool from this link:

http://www.bleepingcomputer.com/download/junkware-removal-tool/

Save to your desktop.

 

 

•  

   

• Shut down your Security Protection software now to avoid potential conflicts.

   

   

• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator. Follow prompts as they come.

   

   

• The tool will open and start scanning your system. (Press any key when prompted to continue)

   

   

• Please be patient as this can take a while to complete depending on your system's specifications.

   

   

• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

   

   

• Post JRT.txt to your next message.

   

   

 

 

Next,

 

Please download MiniToolBox from here: http://www.bleepingcomputer.com/download/minitoolbox/dl/65/ save it to your desktop and run it.
Checkmark the following checkboxes:

 

• 
  

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files
List Restore Points

 

 

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

 

Next,

 

Download OTL from any of the following links and save to your desktop.

 

http://itxassociates.com/OT-Tools/OTL.com

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassociates.com/OT-Tools/OTL.scr

 

Double click the OTL icon to start the tool. (Note: If you are running on Vista or Windows 7 accept UAC alert)

 

 

•  

   

• When the window appears, underneath Output at the top, make sure Standard output is selected.

   

   

• Select Scan all users

   

   

• Change Drivers to All

   

   

• Under the Extra Registry section, check Use SafeList

   

   

• In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".

   

   

• Click Run Scan and let the program run uninterrupted.

   

   

• When the scan is complete, two text files will be created on your Desktop.

   

   

• OTL.Txt <- this one will be opened

   

   

• Extras.txt <- this one will be minimized

   

   

 

 

Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of OTL.Txt and the Extras.txt in your next reply.

NOTE: These logs can be long so please use multipul post if need be.

 

Post those logs in next reply...
 

[longcong01]

- attachments are the required logs

- no email from ISP

Extras.Txt

JRT.txt

OTL.Txt

Result.txt

[kevinf80]

What is the status of your system now, any issues/concerns?

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  Click Start
  
• When asked, allow the add/on to be installed
  Click Start
  
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings, ensure the options
  
• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  Click Scan
  
• wait for the virus definitions to be downloaded
  
• Wait for the scan to finish
  

 

When the scan is complete

 

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
  
• close program
  
• report to me that nothing was found
  

 

If threats were found

 

• click on "list of threats found"
  
• click on "export to text file" and save it as ESET SCAN and save to the desktop
  
• Click on back
  
• put a checkmark in "Uninstall application on close"
  
• click on finish
  

 

close program

 

copy and paste the report here

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Post those logs

[longcong01]

- So I tried to run the esset online scan with the exact instruction above but it turned out being something like "You are trying to launch ESET Online Scanner in a different browser than Internet Explorer".

  I'd clear cache and cookies of the IE and tried again but still fail

 

-Here's the latest email from ISP (received before the procedure in post #17)

 

[2013-11-13 14:16:33] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-13 13:28:49] [14.201.233.226] Trojan: Zeus
[2013-11-13 10:16:34] [14.201.233.226] Trojan: Sality - Source Port :: 12250/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-12 18:04:31] [14.201.233.226] Trojan: Sality - Source Port :: 18486/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
 

[longcong01]

So I've just noticed something in my Mozilla Firefox browser.

Whenever I open it or get a new tab, this page appear "https://www.google.com.au/?gfe_rd=ctrl&ei=l7mFUqrOOsHC8gel6oHYBA&gws_rd=cr"

I'm just wondering is that normal or something wrong with it as shouldn't it just be "https://www.google.com.au"?

[kevinf80]

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop.

 

Double click zip file and extract to your  Desktop:

 

 

 

 

you will now have 3 versions of the tool on the Desktop:

 

 

 

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link: http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html[/url

 

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:

 

 

 

 

Copy and paste the following script from the code box and paste into the field.

standardsearch;autoclean;emptyclsid;firefoxlook;FFdefaults;Chromelook;CHRdefaults;iedefaults; 

Select the "Run Script" tab. The following window will open:

 

 

 

 

 

 

Please be patient and do not use the PC when the scan is in progress.

 

When complete you maybe asked to re-boot your PC, if so please do

 

 

Post the produced log in your next reply…..

 

Also let me know if FireFox issue is repaired

[longcong01]

- attachment is the zoek log

 

- the Firefox issue still remain after I ran the zoek

zoek-results.txt

[kevinf80]

Open Firefox, select > Tools > Options > In the new window select the "General" tab. On that page amend your homepage to show the url you want...

 

I show you an image of my settings, let me know if that helps... Also if any remaining issues or concerns.

 

 

[longcong01]

It's kind of solved the problem.

 

What I've meant by "kind of" is:

 

-when I open a new browser, it's actually "google.com.au"

-however, when I open a new tab from that browser, it's still that "https://www.google.com.au/?gfe_rd=cr&ei=KsKGUs3PDOTC8gejsoHICQ"

 

Latest email from my ISP:

 

[2013-11-14 19:39:12] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-14 15:38:28] [14.201.233.226] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-14 14:38:26] [14.201.233.226] Trojan: Zeus 
[2013-11-14 14:13:28] [14.201.233.226] Trojan: Sality 

[kevinf80]

I want you to reset firefox back to defaults, to do this I need you to do this:

 

• At the top of the Firefox window, click the "Firefox" button, go over to the "Help" sub-menu
  
• or if the “Menu bar” is active and select “Help” then select "Troubleshooting Information".
  
• Click the "Reset Firefox" button in the upper-right corner of the Troubleshooting Information page.
  
• click "Reset Firefox" in the confirmation window that opens.
  
• Firefox will close and be reset. When it's done. Click "Finish" and Firefox will open.
  

 

Go back to tools > options > general tab. Make sure your Homepage is set correctly

 

Does that make a difference?

 

If Internet Explorer has same problems do this also;

 

go here - http://support.microsoft.com/kb/923737 scroll to the "Fixit" tool and run that.

 

Then I want you to do the following:

• Re-Start Internet Explorer.
  
• Select “Tools”
  
• click on "safety"
  
• click on "Delete Browsing History"
  
• make sure all boxes are checked
  
• click on "Delete"
  
• click on "Tools",
  
• click "Internet Options".
  
• On the "Advanced" tab, click "Reset"
  
• put a check mark next to "Delete Personal Settings"
  
• click "Reset" to confirm
  
• when complete click the "Close" button
  
• restart IE
  
• Click on “Tools”
  
• Select “Toolbars and Extensions” Under “Show” have “Currently loaded Addons” selected
  
• Any entries not recognized, just remove them…
  
• Restart IE.
  

 

Let me know if that helps,

[longcong01]

- Yup, that did solved the problem. Thanx for now. IE seem to have nothing wrong btw.

- I'll tell you if I keep getting email from my ISP about the trojans.