Tech Support banner

Status
Not open for further replies.
1 - 3 of 3 Posts

·
Banned
Joined
·
1 Posts
Discussion Starter #1
Help!! Our network and computers have been attacked by malware. In McAfee, on Feb 23 Systemguards blocked an attempt to make registry changes to change the winlogon shell so that other programs could replace windows explorer.

The log file for this event revealed that it had detected and removed the artemis D8a7e233ae3c trojan and quarantined four components of the PWS-zbot.gen.ab trojan including one called SETIASWORLD.

On March 4, a revealing symptom occurred. After logging into our banking site, an overlay appeared asking for credit card information including the number on the back. Naturally, we did not click on anything and promptly closed the default browser (Firefox)!

After researching and reading on the internet about related bank phishing malware files, we noticed something in the owner application data and in the startup info called ikpih.exe that was pretending to be the opera browser in its properties. McAfee did not catch it as malware when we scanned it however so did not fix it. We tried unchecking it in msconfig but it said something about not having rights to change and when we reopened msconfig there was an unchecked box and a newly checked box for this item.

The owner of this computer is not sure whether or not the computer has been restarted again after the Feb 23 startup or just put to sleep after that. The Feb 23 McAfee events show that the ikpih.exe file was unfortunately allowed to execute then as a startup item.

This netbook has a secure cable connection and also Verizon 3G connection. The trojan may have entered using either network. There seem to have been multiple inbound events from weird computers whenever the Verizon connection was made, and the connection went dormant repeatedly and VZAccessManager had to be disconnected and reconnected.

The cable connection is also networked to a wireless router shared with another older laptop. Norton Security Suite has recently been put on that laptop replacing an out of date Norton. The Norton scan found some things, but this post is primarily about the zbot trojan on the netbook.

Can you help us clean up the rest of this mess and refine our networking settings in McAfee and Norton so we can trust this network and these shared computers again?

Attached and below are the relevant data from the files you requested. GMER didn't give a warning about rootkit activity but we went ahead with scan anyway. Thank you in advance for your generous help.
 

·
Moderator , Security Team
Joined
·
1,049 Posts
You have not attached or posted any scan logs as requested in .... Malware Removal Help Posting Instructions

  • If you have a 32 bit system Download FRST to your Desktop.
  • If you have a 64 bit system Download FRST64 to your Desktop.
  • If you don't know whether your system is 32 bit or 64 bit, download both. Only one will run on your machine. That's the one to use.
  • Double click Frst.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • When finished scanning 2 logs will open on your Desktop, FRST.txt and Addition.txt
    • Please post them in your next reply.
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top