ZeuS.panda detected by MWB but not removed

[seglea]

On a weekly scan, Malwarebytes (MWB) detected the spyware ZeuS.panda.  This is a known dangerous Trojan that collects passwords etc when you visit banking sites.  MWB quarantined it, and at the end of scan gave me the option to delete it, which I took.  However, the flagged infected file was not deleted, and when I ran MWB again after restarting the machine, it reported the spyware in the same location.  I repeated this a few times, checking for any variations in procedure, but the result was always the same.  Accordingly, I have now removed the file reported as infected (using Eraser rather than a simple delete).  Two questions, therefore: (a) will Erasing the file have removed the threat properly, and (b) would there have been a more appropriate action under these circumstances?  Most grateful for any advice.

[kevinf80]

Hello seglea and welcome to Malwarebytes, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin..

[seglea]

Kevinf80, thank you for your prompt offer of assistance.  I have run FARBAR as suggested, and attach the two files.

seglea

Addition.txt

FRST.txt

Edited September 7, 2018 by seglea
correcting spelling error

[kevinf80]

Thanks for those logs, continue: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Please download Zemana AntiMalware and save it to your Desktop.   Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.   Open Zemana AntiMalware again. Click on icon and double click the latest report. Now click File > Save As and choose your Desktop before pressing Save. Attach saved report in your next message. Next, Emsisoft Emergency Kit Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment. Save EmsisoftEmergencyKit.exe to your Desktop. Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:   Leave everything as it is, then click Extract. This maybe listed as Install This will unpack or install Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\). Once the extraction or installation is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.   Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:   Choose Yes, then wait for EEK to finish updating. Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes. Wait for the scan to finish.   If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected. If Emsisoft Emergency Kit asks to reboot, please do so immediately. The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.   Please Copy and Paste the contents of the scan log in your next reply. Let me see those logs in your reply, also tell me if there are any remaining issues.. Thank you, Kevin

fixlist.txt

[seglea]

Kevin, thanks for the further advice.  Here are the logs you requested.  The short account is that the FRST process ran through ok, but when I then tried to run MalwareBytes, it kept crashing out and triggering a reboot, with the message "Page fault in non paged area MBABSwissArmy.sys".  I fixed this by downloading a fresh copy of MalwareBytes (which had, however, been performing perfectly OK previously - though I was running it from an admin user when it crashed, rather than from my usual user).  Zemana and Emisoft then ran ok, each detecting one piece of Adware, neither of which look likely to be related to the original ZeuS.panda infection.

MBAM Scan report.txt

Zemana report 2018.09.08-17.10.04-i0-t92-d1.txt

Emisoft Forensics_180908-182223.txt

[kevinf80]

One more scan please:

Download RogueKiller and save it on your desktop, ensure to download correct version.. RogueKiller (X86) RogueKiller (x64)   Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Do not use the Remove Selected option until i`ve had a look at the log.. Thanks, Kevin...

[seglea]

Kevin, here's the RogueKiller report, with a bundle of PUMs found.  Looking at it, the two entries for Internet Explorer look from their Data entries as though they are links to my authentic home page.

RogueKiller report rk_195D.txt

[kevinf80]

Those entries in the RogueKiller report are not malicious. How is your PC responding, any unusual or erratic behaviour..?

[seglea]

Kevin, thanks for your report; sorry I've been silent for a few days, busy with other things.  So far as I can tell the PC is running normally, with no unexpected slowness - it is a little difficult to tell as all files are on a NAS and that sometimes imposes delays.  I am checking all financial sites (the main targets of ZeuS.panda) carefully and there are no signs of any attempted intrusion.  So I think that has been cleared, and many thanks for your help.  A thank-offering is on its way.

I'm still left with one of my original questions - was delete/shredding the file reported as infected with the trojan the right way to go when MWB didn't seem able to remove the infection?

I also have another, for which I will start a new thread... As part of this process, I discovered that my (old version) MWB probably wasn't doing anything useful when I set it to scan networked drives, even though it appeared to be scanning them; and the latest version (which I had to install to overcome a stoppage) now won't do it at all.  It's a consequence of newer versions of MWB running as a service, rather than a user program.  So now I need to find something that will scan network drives for Windows-oriented malware.  Some of the programs you recommended above are possible candidates, though there are others on the Synology forum (that being the make of my NAS).

Thank you again.

[kevinf80]

Hello seglea,

Thank you for the donation, very much appreciated...  The following link explains options for scanning drives with Malwarebytes:

https://support.malwarebytes.com/docs/DOC-1694

Yes what you describe of dealing with the suspect file can be useful if security programs cannot deal with it, but only if you are certain the file is infected. Any suspect file can be scanned at VirusTotal to be checked out... https://www.virustotal.com/en/

If you want to reinstall Malwarebytes, is better option to use Malwarebytes clean up tool first.

Totally Remove Malwarebytes from your system: Download the latest version of MB-Clean by clicking this link: https://downloads.malwarebytes.com/file/mb_clean save to your Desktop, or a folder of your choice.   Close all open applications Double-click and run mb-clean.exe A prompt with an option to clean up the system will appear: Yes - will proceed with backing up the license key (Malwarebytes 3.x only) and initiating the cleanup process. (Recommended) No - will exit the utility Once the cleanup process is completed, a prompt will appear: Yes – will proceed and post reboot you will be prompted to continue with the downloading, installation and activation of latest version of Malwarebytes 3.x (Recommended) No – will exit the utility and you will not be prompted (post reboot) to download, reinstall and re-activate (Not Recommended) We recommend rebooting immediately. Additionally, stopping at this step is not recommended and will most likely not resolve your issue(s). Upon reboot, a prompt will appear: Yes - will download, install and activate the latest version of Malwarebytes 3.x (Recommended) No - will exit the utility and the cleanup process is complete... A log file ("mb-clean-results.txt") will be on your desktop, that will show what was removed... The following link gives some excellent online scanners for periodic checks... https://mashtips.com/online-virus-malware-scanner-for-windows-mac-file-website/ Is your PC responding ok for you now, are we ok to close out... Regards, Kevin

[seglea]

Thanks, that's great.  Yes, ok to close this topic now, and I hope it is useful to others.

[kevinf80]

You`re very welcome seglea, comeback anytime if assistance is needed.....

Regards,

Kevin....

[kevinf80]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks