URGENT - Trojan Alert // ZEUS // PWS:Win32/Zbot.gen!Y - Be weary

Hi All,

I thought id post this out of courtesy.

I tried to logon to my online banking and found it had been suspended today. After a quick call they advised me i had a virus and my login details had been stolen.

I have McAfee ( legit version ) all paid for and upto date and it still didnt catch this sneaky little trojan. The consultant from my bank recommended Windows Security Essentials ( link at bottom of page ) which after installing and scanning found the suspect files within minutes.

I thought id post this as the files have been on my PC for a couple of months now and McAfee didnt pick it up once....
I have also included the Virus / Malware Encyclopedia information for some of the threats that were picked up.


The way it worked was everytime i entered the URL of my bank, the login page itself would actually steal my password.


Be weary peeps


www.microsoft.com...

Virus Information:

Malware / Virus Information // Aliases: Zeus

Detailed file info

The Microsoft download is free and allows you to update definitians and also scan and remove suspect files, viruses, Spam and Malware.

reply to post by Havick007


You could go to ananomouse.com and try entering in the website...or you could sign up to another bank...try it on another computer...

reply to post by Disemboweled


When i called they said they have been getting abit of this lately and that is how they knew it was that particular virus. Apparently once the Malware / Trojan is removed it should be ok.

I did notice for the past week or two that everytime i tried to log in to my online banking it would take upto 10 minutes to login. I assumed it must have been an IT thing on the banks side but apparently it wasnt. On the Microsoft description it does say it is a password stealer, i just didnt realise that was how it took passwords.

Summary
PWS:Win32/Zbot.gen!Y is a generic detection for a password stealer and remote access trojan.

I've also gotta add i'm surprised Security Essential's didnt come as an Auto update. I wouldn't have thought i would have to wait for banking employee to tell me about to get it on my system.

But after downloading and installing this simple app, it's really good and considering it's free you can't go wrong

Just wanted to add, the source of the corrupt files ended up being under C:/[username]/AppData/Roaming/Igpi - ( In my case ) it may differ on other machines.

For that source file, you would need to view hidden files/folders to find it in your username directory.

No antivirus package is 100% effective. Individual tweaks can be made to the virus so the signature is different with many millions of combinations available. Microsoft threat fire is a good program that looks for virus like behaviour so you can kill it or let it pass. When things start slowing down unexpededly it is a good sign that something is wrong.

reply to post by kwakakev


yeah i noticed that in the past week or 2 IE started lagging really badly and alot of extra processor usage.

Looking at the corrupt files it's been on my system for a couple months but nothing detected it and it only became active in the past week or so.

It's still annoying, i'm going through and changing every single password i have.

lol.. i feel violated

reply to post by Havick007


I also recommend moving away from IE as your browser to Mozilla Firefox, Goggle Chrome or one of the others. The reason for this is that IE is deeply embedded with the operating system and can be a hackers dream through the dot net framework. These other internet browsers have more clearly defined boundaries with the operating system and make it harder, but not impossible to subvert. It does get technical, but for a quick solution it will boost your security defences.

reply to post by kwakakev


I have always liked IE - i have tried Mozilla, Chrome and even the older AOL browser.

Nothing compares after using IE for so long. Also IE9 is now beta testing so hopefully they may have come up with some better security.... we can only hope


Also i want to add there are some history files i just cant get rid of, it's not your norm Malware or etc but legit pages from Cornell University about US law and stuff i have searched for from time to time in regard to conspiracy theories and alike.

The subject matter is not outta the norm, but the history just wont delete no matter what i do. Clean-ups, re-installs etc nothing works.

I wont post the direct links as i dont want it to have the same effect on others PC's.

Although one example of about 30 history logs is below ( dont click for the fear it may not remove itself ffrom your system!)


TITLE 42 > CHAPTER 79 > SUBCHAPTER I > § 6603
Prev | Next § 6603. Sense of Congress on innovation acceleration research

www.law.cornell.edu...

That is just one example of about 30 history files that i cant shake from my system no matter what i do ( All from Cornell )??

Any idea's?

Also i am happy to post every history link i have but i dont want people clicking on them and then having the trouble as me

you might have inadvertently marked these files for offline viewing thus IE won't delete them.

reply to post by toreishi


Nah i remember when i viewed them, it wasnt anything worth my while, it was really a dead end. Also as i said it was every page i visted in that one night, there was no-way i marked everyone of them for offline view. Although by some chance that is what happened or they somehow marked themselves that way, would you know what directory they are stored in or how to delete them.

The funny thing is, when i do a complete PC or C: search, they dont turn up, no matter what search term i use to relate them to IE or their main names. They cant be found even when searching hidden etc.

It's like they are somehow now merged with IE, but even when i tried a total uninstall and the re-install they still showed up..

It's fustrating that they are just stuck their. Look as an example i will post a couple more links, as i said there is about 30 in my history that wont delete.

It's not in the history tab, but when you open the drop down box and expand the history section, thats when they show up.

Examples ( do not click - example only )

TITLE 42 > CHAPTER 140A > § 14661
Prev | Next § 14661. Program authorized
www.law.cornell.edu...



TITLE 42 > CHAPTER 26 > SUBCHAPTER III > § 2482
Prev | Next § 2482. “Upper atmosphere” www.law.cornell.edu...



TITLE 42 > CHAPTER 3A > §§ 137 to 137g
§§ 137 to 137g. Repealed. July 1, 1944, ch. 373, title XIII, § 1313, 58 Stat. 714
www.law.cornell.edu...


As i said this is only a small part of the Cornell Law archives i cannot get rid of. Dont get me wrong, i am not trying to make a conspriracy out of it, just trying to get some extra help on it.
It acts like Malware or Spyware but is from a supposed legit source??

I also want to add that Microsoft Sec Essentials is really very thorough. It has now been running for 4h28m and has only scanned 1/5 of my drive. It's not that it's slow, i can see it's moving quite fast, its just very thorough.

aha it just detected 3 more suspect and severe files:

details below:

--------------------------------------------------------

MSE - Action Message:

----

Category: Exploit

Description: This program is dangerous and exploits the computer on which it is run.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:Users[user]AppDataLocalLowSunJavaDeploymentcache6.01039a20d0a-59888592->vmain.class
file:C:Users[user]AppDataLocalLowSunJavaDeploymentcache6.016d1c5590-396cfb5d->vmain.class

Get more information about this item online.

-----------------------------------------


Category: Exploit

Description: This program is dangerous and exploits the computer on which it is run.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:Users[user]AppDataLocalLowSunJavaDeploymentcache6.046537aaaee-385140b2->bpac/a.class

Get more information about this item online.

------------------------------


Category: Trojan Downloader

Description: This program is dangerous and downloads other programs.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:Users[user]AppDataLocalLowSunJavaDeploymentcache6.01627b56710-545143ab->Inicio.class

Get more information about this item online.

------------------------------------------

And a couple more since i started this post..... farrrr out man. I had no idea. Here i am paying for McAfee every 15 months and these bloody things sneak past and bury themselves in my system.

The above are Java ( SUN Microsystem ) updates.

Seriously be diligent peoples, i though my firewall and virus scan / real time was good, but hmm perhaps i should start emailing McAfee with complaints....

That is just one example of about 30 history files that i cant shake from my system no matter what i do?

In windows explorer/tools/folder options, there are some options to view hidden files and other stuff. Another thing it could be is that it is just an index file that holds the file locations, these are used to quickly access files but do not contain the actual files.

If it is the actual files are there then they may be locked. This is done to avoid to programs accessing the same file at once and getting confused. Right click on properties and try to unlock the files, you should be able to delete them after that.

If still having problems and using Vista, then not real sure. Tried Vista a bit and looks like some changes have been made to the file management process.

Good to hear about security essentials,

reply to post by kwakakev


I just dont understand why out of the thousands of websites i have viewed those are the ones that stick on my system and it's only the Cornell links. I will post a screenshot below...

I am at my wits end trying to remove them....


Also did you see my last reply about the Java update trojans.

They are snuck right in the Java update / install files. So i guess, seldom were the Java updates and the majority were immitation or Malware / Virus requests


[atsimg]http://files.abovetopsecret.com/images/member/adec2d7f074b.jpg[/atsimg]

[atsimg]http://files.abovetopsecret.com/images/member/c07b37faffff.jpg[/atsimg]

They are all Cornell that wont delete off my system arrh its more fustrating than anything. Why cant i get rid of them...

reply to post by Havick007


Thanks for the heads up. S+F

I've recently moved my online banking from the PC to the iDevice and I use a dedicated app. According to my bank it's more secure then going through a web browser. However my wifi feed is routed via my windows box, so I guess if the PC gets compromised or hacked then they can still access my personal data.

Originally posted by kwakakev
reply to post by Havick007

 

I also recommend moving away from IE as your browser to Mozilla Firefox, Goggle Chrome or one of the others. The reason for this is that IE is deeply embedded with the operating system and can be a hackers dream through the dot net framework.

Note Microsoft quietly installs dot net framework extension for Firefox via their updates...

reply to post by kwakakev


With Sec Essentials, i am promoting it as a user because i am basically shocked that it wasnt inlcuded as an update or in SP.

I update twice a week and have not come across it. I dont go searching the Microsoft site...if i had, i may have found it...in hignsight.

I still cant believe my online banking team had to inform me of it. I paid for Vista, i get all the Sec updates and other junk but not Sec Essentials.... strange...

reply to post by yizzel


No probs, happy to help when i can or atleats share common threats

Although i have to say Wifi isnt as safe as you may think. Although there are WEP keys etc they can still be broken. These days.. what is secure?? Everythime security patches come up, the hackers seem to beat it.

I was talking to the online team at my bank today and ya know, it's ironic... the people that have the skills to write the code and virus, Malware, Spam and Malicious software code could probably make a better living writing programs legally.... What a waste of time.

I mean even know they had my online bank details for a short period of time, if they had added a new BPay biller or payone acct number, i still would have received an SMS to verify this the new account details before any transaction was completed. So really it's a waste of their time. So what they can see my account but they cant touch it.


If you had the shill to write such code, would you rather waste it on a hit and miss approach to peeps onlione banking.. oooor put it to good use and write legit programs for corporations and companies that pay 100's of thousand for the time and license rights??

They are smart when it comes to programming but have no plan or no real IQ....

reply to post by Havick007


What you have in those screen shots looks more to be an explorer history than a browsing history. It does get confusing with many different levels of stuff. I know there is a setting around to clear it if it really bothering you but is pretty harmless.

reply to post by kwakakev


it is annoying and no matter what i do i cant get rid of it.... From the drop down it contains the same history as other pages visted recently.... but when i clear history/ cookies/ temp / cache etc it gets rid of every sinlge thing apart from my favourites and those history links.....

Dam you Cornell lol...

But look that isnt the main point of my thread, i am trying to alert everyone to make sure they check their sytem and scan it properly....

I though i was secure untill my online bank suspended my access...thank god, i could have lost money. Although that is remote as my bank has many different layers of online security, i dont want hackers even seeing my account balances or transactions. But they could, they had my customer ID and password, they could log on as i do every week or day at times and see my full financial history... it is kinda scary.


All this when i have Vista sec activated, Windows Firewall, Mcafee - Real time, Full Scan, Firewall, Malware protection, SPAM protection, Malicious software tracer and more etc.

They still snuck past, how many systems do you think are infiltrated, perhaps the trojan is dormant. I had mine for 3 months but did notice or have any threats untill the past couple of weeks. I wouldnt have known unless my online banking was exploited...

Some of these updates come from Sun Microsytems - Java Updates....


When was the last time any one of our readers saw a Java update and automatically assumed it was trust-worthy??

Sneaky Buggers!! Also it wouldnt surprise if some of the responcible hackers lurkers or participated in ATS - If so, get a life and real job, if your so good at programming then worki for a real firm... you will prob earn more money.

reply to post by Havick007


That's true, wifi can be hacked but so can any physical connection as well. Though I'd say wifi is probably easier cause you don't have to scan for open ip addresses..

Sometimes I check my router logs to see if anyone's attempted to get in but that's a bit of a pain, what I need is a program that automatically detects and alerts me if someone tries to access my wifi. Been looking around for ages but so far I haven't found a program that can do that.
At least my bank app encrypts all data required to access my account.

Yeah it's a shame these virus coders don't use their talent to create something legit and make their fortune that way...

P.s, I use a program called CleanUp! it deletes browser history as well as temporary files. Works well on XP, there might be a vista version out there too...