Jump to content

[Help] Got reported by ISP that I have Zeus Trojan in my internet activities


Recommended Posts

The virus are still around. Here's part of the email I'd just received this morning:

 

[2013-11-16 00:18:04] [14.201.239.89] Trojan: Zeus 
[2013-11-16 00:08:30] [14.201.239.89] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-16 00:01:54] [14.201.239.89] Trojan: Sality 
[2013-11-16 00:01:54] [14.201.239.89] Trojan: Sality - Source Port :: 11750/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus

 

It looks different from any other previous.

Link to post
Share on other sites

Select start, in the search box typ services.msc hit enter, in the new window check these entries are running and set to automatic:

 

DHCP Client

DNS Client

 

Go to Start > All Programs > Accessories > Right click on "Command Prompt" select "Run As Administrator"

Run the following commands hit the enter key after each one, maybe easier to copy then paste each command to get spaces correct....

 

netsh winsock reset catalog

netsh int ipv4 reset reset.log

netsh int ipv6 reset reset.log

ipconfig /flushdns

ipconfig /release

ipconfig /renew

ipconfig /registerdns

 

Then reboot.

 

See if that helps...

Link to post
Share on other sites

Here's the latest email from the ISP

 

[2013-11-18 00:51:58] [14.201.239.89] Trojan: Zeus 
[2013-11-18 00:37:42] [14.201.239.89] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com
[2013-11-18 00:27:37] [14.201.239.89] Trojan: Sality - Source Port :: 25541/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-16 00:18:04] [14.201.239.89] Trojan: Zeus 

Link to post
Share on other sites

All scans are coming back clean, nothing to relate malware/infection.... Lets run this last scan from outside of windows, if this is clean there is no problems with your PC....

 

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

 

WD2.png

 

In the new window accept the agreement:

 

WD2a.png

 

In the new window select your USB Flash Drive, then select "Next"

 

WD3.png

 

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

 

WD3a.png

 

In the new window accept the formatting alert by selecting "Next"

 

WD3b.png

 

Files will be Downloaded:

 

WD4.png

 

Files will be processed and created

 

WD5.png

 

Flash drive will be formatted and prepared

 

WD6.png

 

Files will be added to the Flash Drive and the tool will be created.

 

WD7.png

 

The procedure is finished and the Tool created, click on "Finish" to complete.

 

WD8.png

 

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...

As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.

When complete do a full scan, deal with what it finds.

When finished, remove the USB stick then press the Esc key to boot into regular windows.

Navigate to the following file:

 

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt" Open with notepad and copy and paste it into a reply.

Link to post
Share on other sites

- So the thing is I tried to run the scan twice. But in both time, during the full-scan, my system just crashed and appear to be a blue screen (blue screen of death?). I did the exact as instruction above by the way.

- Latest email from ISP

[2013-11-19 09:58:20] [14.201.233.223] Trojan: Zeus - sinkhole: 82.165.37.26:80 domain: appds8.www8binup.com

[2013-11-19 09:20:51] [14.201.233.223] Trojan: Sality - Source Port :: 11581/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-18 20:21:04] [14.201.233.223] Trojan: Sality - Source Port :: 25764/tcp  Destination Port :: 80/tcp Destination DNS :: akdari.com Varient :: Sality_Virus
[2013-11-18 00:51:58] [14.201.239.89] Trojan: Zeus 

Link to post
Share on other sites

Kaspersky Rescue CD

STEP A:

 

Download and create a bootable Kaspersky Rescue Disk CD

 

1. Download the Kaspersky Rescue Disk ISO image from below.

 

 KASPERSKY RESCUE DISK DOWNLOAD LINK (This link will open a new page from where you can download Kaspersky Rescue Disk ISO)

 

2. Download ImgBurn, a software that will help us create this bootable disk. (If you already have necessary software, use that)

 

 IMGBURN DOWNLOAD LINK (This link will open a new page from where you can download ImgBurn)

3. You can now insert your blank DVD/CD in your burner.

 

4. Install ImgBurn by following the prompts and then start this program.

 

5. Click on the Write image file to disc button.

 

6. Under 'Source' click on the Browse for file button, then browse to the location where you previously saved the Kaspersky Rescue Disk ISO file.(kav_rescue_10.iso)

 

7. Click on the big Write button.

 

8. The disc creation process will now start and it will take around 5-10 minutes to complete.

 

 

STEP B:

 

Configure the computer to boot from CD-ROM

 

On some machines,if you restart the computer and repeatedly tap the F11 key it should bring up the Boot Menu, from there you can select to boot from the CD.

IF this doesn't happen then you'll need to configure your computer to boot for a CD like you'll see below.

 

 Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:

 

1. Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:

 

2. In your PC BIOS settings select the Boot menu and set CD/DVD-ROM as a primary boot device.

 

3. Insert your Kaspersky Rescue Disk and restart your computer.

 

STEP C:

 

Boot your computer from Kaspersky Rescue Disk

 

1. Your computer will now boot from the Kaspersky Rescue Disk,and you'll be asked to press any key to proceed with this process

 

 

Kasp1-1.png

 

 

2. In the start up wizard window that will open, select your language using the cursor moving keys. Press the ENTER key on the keyboard.

 

 

Kasp2-1.png

 

 

3. On the next screen, select Kaspersky Rescue Disk. Graphic Mode then press ENTER.

 

 

Kasp3-1.png

 

 

4. The End User License Agreement of Kaspersky Rescue Disk will be displayed on the screen. Read carefully the agreement then press the C button on your keyboard.

 

5. Once the actions described above have been performed, the Kasprsky operating system will start.

 

STEP D:

 

Launch Kaspersky WindowsUnlocker to remove the malicious registry changes

 

This ransomware trojan has modified your Windows system registry so that when you're trying to boot your computer it will instead launch his lock screen.To remove this malicious registry changes we need to use the Kasersky WindowsUnlocker from Kaspersky Rescue Disk.

 

1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky WindowsUnlocker.

 

 

Kasp5-1.png

 

 

IF you can't find the WindowsUnlocker button, you can select Terminal and in the command prompt type windowsunlocker and then press Enter on the keyboard.

 

2. A white colored console window will appear and will automatically start loading the registry files for scanning and disinfection. The whole process will take only a couple of seconds and after this process you should be able to boot your computer in normal mode.

 

 

Kasp6-1.png

 

 

STEP E:

 

Scan your system with Kaspersky Rescue Disk

 

1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky Rescue Disk then click on My Update Center and press Start update.

 

 

Kasp7-1.png

 

 

2. When the update process has completed, the light at the top of the window will turn green, and the databases release date will be updated.

 

 

Kasp8-1.png

 

 

3. Click on the Objects Scan tab, then click Start Objects Scanto begin the scan.

 

 

Kasp9-1.png

 

 

4. If any malicious items are found, the default settings are to prompt you for action with a red popup window on the bottom right. Delete is the recommended action in most cases but we strongly recommend that you try first to disinfect , and if it doesn't work chose to quarantine the infected files just to be on the safe side.

 

 

Kasp10-1.png

 

 

5. When all detected items have been processed and removed, the light in the window will turn green and the scan will show as completed.

 

 

Kasp11-1.png

 

 

6. When done you can close the Kaspersky Rescue Disk window and use the Start Menu to Restart the computer.

 

7. When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.

Link to post
Share on other sites

So I've completed the scan. Nothing much happened during the scan though.

 

Booted back into window to find the log file. But then I can't find it with your directory link.

Like there was no "Start > Computer > C:\Kaspersky Rescue Disck 10.0" in my C drive.

Could it be somewhere else because right after the scan I saw it was actually saving something but didn't get to look at where it saved !?

Link to post
Share on other sites

Run  Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan.

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log, let me know if any remaining issues or concerns.....

Link to post
Share on other sites

- Attachment is the produced log from Malwarebyte scan as required by procedure above.

- However, a night before that, Malwarebyte actually found something else more suspected (I can't remember the name of the file, but it lies somewhere in C:\Window\Temp...)  and I, without reported to you, had deleted it via       Malwarebyte (sorry).

- Still no email from my ISP though.

MBAM-log-2013-11-30 (23-34-57).txt

Link to post
Share on other sites

Apologies for late reply, I did not receive notification. What is the status of your system, any remaining issues or concerns? The log you just post from Malwarebytes shows that SetupImgBurn_2.5.8.0.exe is bundled with unwanted Adware, if you choose to install you will need to choose "Advanced" during install and make sure to UNtick unwanted extras.

If you just use the auto install the adware will come with it.... OK about that?

 

Let me know if all is now ok, if so we can clean up..

Link to post
Share on other sites

Excellent, good to hear, continue:

 

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

Uninstall adwcleaner.exe

  •   Please close all open programs and internet browsers.
  •   Double click on adwcleaner.exe to run the tool.
  •   Click on Uninstall
  • Click Yes at Would you like to Uninstall Adwcleaner

 

Next,

 

  • Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
  • Double click OTC_Icon.jpg icon to start the program.
    If you are using Vista or Windows 7 accept UAC
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
  • This will remove tools we have used and itself.

 

Any tools/logs remaining on the Desktop or downloads folder can be deleted. Such as:

 

Zoek

RogueKiller plus RK_Quarantine folder

Security Check

aswMBR

 

Also navigate > start > computer > expand C:\ and delete any folders related to Zoek

 

Finally,

 

Create a new restore point:

 

   1. Right-click on Computer and go to Properties.

   2. Next click on the System Protection link.

   3. The System Properties dialog screen opens up and you will want to click on Create.

   4. Type in a description for the restore point which will help you remember the point at which it was created. Click on create.

   5. You should see the message "The restore point was created successfully

 

To remove all but the most recent restore point do the following:

 

   1.      Open Disk Cleanup by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33.jpg. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.

   2.      If prompted, select the drive that you want to clean up, and then click OK.

   3.      In the Disk Cleanup for (usually C:\) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

   4.      If prompted, select the drive that you want to clean up, and then click OK.

   5.      Click the More Options tab, under System Restore and Shadow Copies, click Clean up.

   6.      In the Disk Cleanup dialog box, click Delete.

   7.      Click Delete Files, and then click OK. Re-Boot your PC.

 

Let me know if those steps complete OK, also if ok to close out...

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Kevin

 

 

 

fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.