Zeus (Trojan horse)

Yesterday my bank sent me a text message notifying me the lock of internet banking services due to suspicious behaviour in order to steal the access codes.
I’ve then called them to ask for further information and they answered they found an attempt to steal the access codes by the so-called trojan Zeus that, according to them, would have infected my system.
They suggested me change the codes using the phone or a safe pc and format my pc which is no more safe.
I use Avast Internet Security 7 on a Win 7 Sp 1 system, and I’ve changed the codes via Avast Safe Zone Browser.
Then I ran a complete startup scan with Avast that found nothing, I’ve also run a complete scan with Microsoft Security Essentials that also found nothing.
Now the question is: should I trust my system or seen what happened should I format?
I’ve read that it’s also difficult for antiviruses to find this threat on systems as it’s stealthy.
Is Avast Internet Security capable to protect against this threat?

Thanks in advance

Hi Akeman Street,

Could be the malicious activity could have come from another computer on your provider’s IP range. What you could do is change your main mail account password as that is the password that you use to log in to your provider. Check your IP address here: http://www.projecthoneypot.org/search_ip.php and establish if there are mailcious activities from IP’s in that neighbourhood (spammers and dictionairy attackers). They could be the course of the warning or did they specify your IP?

polonus

follow this guide and attach the logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

Thanks for the answers!

To log in to my provider I actually use the default username and password of the provider, I don’t use mine. When I had set the router for the very first time I’ve wondered wheter that might have caused trouble but the internet connection worked so I have never cared about and thought to change with my own. I’ve checked my IP address as suggested and found that in the neighbourhood there are 4 IPs with SD and 2 with S.
I can’t fully understand the meaning of this question: They could be the course of the warning or did they specify your IP? Who should have specified my IP? my bank?

As requested I’ve attached the logs of the scans.

aswMBR keeps crashing and can’t do the scan. It appears a windows notice that says avast! Antirootkit stopped working
In the next post I attach the Malwarebytes Anti-Malware log and the screenshot that appears when aswMBR stops working

Apologise if my English is not correct.

In attachment Malwarebytes Anti-Malware log and the screenshot that appears when aswMBR stops working

Lets use another tool to check the MBR

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

In attachment the report of Tds Killer

That looks OK, did you say that you had reset your router ?

I can run a second opinion AV scan if you wish. This will also generate a zip analysis, could you upload that to a file sharing site for me to collect

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://dl.dropbox.com/u/73555776/Kas%20front.JPG

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://dl.dropbox.com/u/73555776/Kas%20Scan%20area.JPG

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://dl.dropbox.com/u/73555776/kas%20manual.JPG

On completion click the link to locate the zip file to upload and attach to your next post

http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG