Avast WEBforum
Other => Viruses and worms => Topic started by: frankocean89 on October 08, 2013, 03:22:07 PM
-
At 12:24 today, I downloaded a file without knowing it was a Trojan horse.
Now Avast keeps reminding me every few minutes that a threat has been detected and SUCCESSFULLY BEEN DEALT WITH when it has not.
[I have attached the pics, I hope they are showing(]
Yet despite the fact that I have gone to the file location, scanned it with Avast and deleted the threats SEVERAL TIMES, they are not going anywhere. Avast says they have been deleted but few minutes later the same message about threats being detected pops up.
I have tried to download malwarebytes from Cnet.com to remove them but since they have infected my laptop, I CANT DOWNLOAD ANYTHING NOT EVEN A PICTURE OFF THE INTERNET and my laptop has been slowing down. I am extremely upset and feel upset right now and fear for my laptop, my files :'(
Please help me
-
Hi,
We need to check that first.
- I will be working on your Malware issues this may or may not solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine.
- If you don't know or understand something, please don't hesitate to ask.
- Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
- Please DO NOT run any other tools or scans whilst I am helping you.
- It is important that you reply to this thread. Do not start a new topic.
- Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
- Absence of symptoms does not mean that everything is clear.
---------------------------------------------------------------------------------------------
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-
Perform a bootscan with avast then do as Magna suggested.
-
Perform a bootscan with avast then do as Magna suggested.
Hi Eddy, :)
This type of malware uses embedded nulls and permissions are broken on malware related keys (malware's loading point), malware also has two loading point (one as backup launcher) therefore AV can not target ZA loading points.
As ZA uses uses embedded to hide full path of loading files, you can't aim these file like that. Avast boot time scan is a good thing for post cleaning or in case of some other lightware infections, but in ZA cases, it is waste of time. ;)
-
Thanks for your swift replies (^_^) I have Avast full system scan running right now, should I stopped it or pausing it is enough?
Also to Eddy, I have no idea what a bootscan is
-
Thanks for your swift replies (^_^) I have Avast full system scan running right now, should I stopped it or pausing it is enough?
Also to Eddy, I have no idea what a bootscan is
If you have been start boot time scan, don't stop it. Finish it first.
avast shall warn you to preform boot time scan, just press Yes and follow the prompts.
-
Thanks for your swift replies (^_^) I have Avast full system scan running right now, should I stopped it or pausing it is enough?
Also to Eddy, I have no idea what a bootscan is
If you have been start boot time scan, don't stop it. Finish it first.
avast shall warn you to preform boot time scan, just press Yes and follow the prompts.
But i dont know what boot time scan is. I am only using Avast full system scan and it has been running for about an hour and 45 and scanned 25% of my system.
So I fear that if the scan takes too long, the Trojan Horse will have destroyed my laptop by the time the scan is finished and also, I have important documents to download off my email account :/
-
But i dont know what boot time scan is. I am only using Avast full system scan and it has been running for about an hour and 45 and scanned 25% of my system.
So I fear that if the scan takes too long, the Trojan Horse will have destroyed my laptop by the time the scan is finished and also, I have important documents to download off my email account :/
Boot time scan is preforming virus scanning by avast before windows files load in. All in sistem is shutdown and avast can target and kill all malware. Malware is inactiv and it can't defend itself.
But this malware uses some technique to hide the full path from AV and other security tools.
You may preform virus scanning some other time. Stop scan and preform FRST.
ZA will not brake your system. His misions is to steal information from you, not to brake computer. ;D
-
But i dont know what boot time scan is. I am only using Avast full system scan and it has been running for about an hour and 45 and scanned 25% of my system.
So I fear that if the scan takes too long, the Trojan Horse will have destroyed my laptop by the time the scan is finished and also, I have important documents to download off my email account :/
Boot time scan is preforming virus scanning by avast before windows files load in. All in sistem is shutdown and avast can target and kill all malware. Malware is inactiv and it can't defend itself.
But this malware uses some technique to hide the full path from AV and other security tools.
You may preform virus scanning some other time. Stop scan and preform FRST.
ZA will not brake your system. His misions is to steal information from you, not to brake computer. ;D
I am soooo relieved!! At first I thought I was about to lose everything on my laptop since I have been too lazy to back up. GREAT !! ;D
"Stop scan and preform FRST"
Sorry for my ignorance but i am not really good with IT :-[.
So you want me to STOP Avast full scan right??
What is FRST?
Also since I have checked my email account several times since I got infected, are people in my contact list at risk of getting infected too?
-
So you want me to STOP Avast full scan right??
yes
What is FRST?
follow instructions magna86 gave you in first post
-
So you want me to STOP Avast full scan right??
yes
What is FRST?
follow instructions magna86 gave you in first post
Thanks for the head up.
I have tried downloading the Farbar scan several times ( I am on firefox right now) but I cant. I cant find it in its location folder. I said in my OP that I couldnt download anything off the internet since my laptop got infected, that is my main problem.
-
Hey, I have tried Real player browser and so far it is working , I am downloading it right now! I think the issue was with my browsers, I will get back to you soon.
-
:'(
NOPE it is not downloading. i cant see them anywhere even in the Downloads folder ;_;
OMG I am terrified, is there any other way out of this if I cant download off the internet? I am really desperate now ;_;
-
Often when you can not download through a web-browser, ftp is still working.
You can also create a Bart-pe bootcd with the utils on it and run them from there.
-
Often when you can not download through a web-browser, ftp is still working.
what is ftp?
-
http://en.wikipedia.org/wiki/File_Transfer_Protocol
FileZilla is an ftp program, and there are many others.
-
Almost all browsers support the ftp protocol.
-
Almost all browsers support the ftp protocol.
Can anyone then tell me how i can use the ftp protocol to download off the internet or any other alternative?? Also I dont understand IT jargon and at this point I feel totally helpless because I have no clue what to do
-
@ frankocean89
NOPE it is not downloading. i cant see them anywhere even in the Downloads folder ;_;
OMG I am terrified, is there any other way out of this if I cant download off the internet? I am really desperate now ;_;
We shall run FRST in RE.
On a clean machine, please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to a flash drive.
Note: You need to run the version compatible with your system.
Plug the flashdrive into the infected PC.
- If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt (http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/) to enter System Recovery Command prompt.
- If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html (http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html)
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.[/*]
- Click Repair your computer.[/*]
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
(http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png)
Select Command Prompt
Once in the Command Prompt:
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
Sorry for the delay, I had to run to an Internet cafe to download it. Since I am here, is there any other document I would need later that I should download now before going back home?? It is 4:35 and the cafe closes at 5.
I need to go home to start the scan since i cant connect my laptop using the internet cafe connect.
-
DONE! I hope it worked!
-
Does anyone knows what I should do next??
-
You don't need internet any more. When I look at FRST log I shall write FRST Script for killing and fixing this rootkit.
I will be back soon.
-
Often when you can not download through a web-browser, ftp is still working.
what is ftp?
hi frankocean89,
When in a bind, do the simplest things first. That is, get to where you are following magna's original instructions.
Workaround re no internet access:
Simplest way to do that is to download all files you need on a clean computer and transfer over to your sick system via an USB stick. To prevent infections on your clean system via USB, install this tool on it first: http://www.mcshield.net/ (http://www.mcshield.net/) You'll not need to worry about transferring malware from your sick system to the clean one if this is installed and in place before you begin. You'll be able to transfer needed programs over, or needed logs back to the clean system to post back here as you go along.
-
Frankocean89,
This will kill ZA rootkit and all his related files.
Open notepad.
- Click Start
- Type notepad.exe in the search programs and files box and click Enter.
- A blank Notepad page should open.
- Copy/Paste the contents of the code box below into Notepad.
START
HKLM\...\Run: [ApnTBMon] - C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1673680 2013-10-01] (APN)
S2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [164816 2013-10-01] (APN LLC.)
C:\Program Files\AskPartnerNetwork
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\ \...\???\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\SAMSUNG\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Users\SAMSUNG\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\SAMSUNG\AppData\Local\Temp\lowproc.exe
C:\Users\SAMSUNG\AppData\Local\Temp\msimg32.dll
C:\Users\SAMSUNG\AppData\Local\Temp\Offercast2802_MYC_.exe
C:\Users\SAMSUNG\AppData\Local\Temp\rnsetup0.exe
C:\Users\SAMSUNG\AppData\Local\Temp\SkypeSetup.exe
C:\Users\SAMSUNG\AppData\Local\Temp\stubhelper.dll
C:\Users\SAMSUNG\AppData\Local\Temp\The History of Love Downloader.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
END
Save it to your USB flashdrive as fixlist.txt
[/list]
=> Or you may download attached file. It's created fixlist.txt for FRST.
>> Boot into Recovery Environment
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your USB flashdrive.
>> Exit out of Recovery Environment and post me the log please.
-------------------- Next -----------------
Can you please boot back to normal mode Windows, and re-run FRST;
- Under Optional Scan ensure "Addition.txt" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- It makes also another log (Addition.txt). Please attach it to your reply.
-
Thanks mchain I will look into that when my system is cleaned :)
magna86 I have attached the log :)
-
Done
-
This fix you shall deploy from normal mode as some malicius services are still loaded.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
START
() C:\Users\SAMSUNG\AppData\Local\GetBooks\GetBooks.exe
HKCU\...\Run: [GetBooks] - C:\Users\SAMSUNG\AppData\Local\GetBooks\GetBooks.exe [509440 2013-05-15] ()
C:\Users\SAMSUNG\AppData\Local\GetBooks
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
SearchScopes: HKLM - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snap.do/?publisher=Download&dpid=Download&co=GB&userid=00c0ab9a-df4a-455b-aec2-db82b7a2f123&searchtype=ds&q={searchTerms}
SearchScopes: HKCU - {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL =
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
CHR Extension: (Ask Toolbar) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaajpbjobobnmcnepdoldijfgmgogbe\21.54118_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaajpbjobobnmcnepdoldijfgmgogbe
CHR Extension: (Missing e) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcjbagclppcgdbpobcpoojdjdmcjhpid\2.14.3_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\bcjbagclppcgdbpobcpoojdjdmcjhpid
CHR Extension: (UnfollowHater) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjobkfnjnakiggjoafelkncclbonjhm\1.0.13_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjobkfnjnakiggjoafelkncclbonjhm
CHR Extension: (Chrome In-App Payments service) - C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
C:\Users\SAMSUNG\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
CHR HKLM\...\Chrome\Extension: [aaaajpbjobobnmcnepdoldijfgmgogbe] - C:\ProgramData\AskPartnerNetwork\Toolbar\MYC3-V7\CRX\ToolbarCR.crx
C:\ProgramData\AskPartnerNetwork
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\ \...\???\{a9dc3b77-a104-26f7-d8cc-b3ee5a1d846e}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
CMD: netsh winsock reset
CMD: ipconfig /flushdns
END
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
------ next -------
Reboot(restart) mashine once more time....
------ next -------
Re-run FRST, just press Scan button and post me fresh created FRST log.
-
Thanks soooooo much. I checked the location of the trojan horses and they have been deleted :*
-
Thanks soooooo much. I checked the location of the trojan horses and they have been deleted :*
8)
We have not finished yet. I shall qoute myself again:
- I will be working on your Malware issues this may or may not solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine.
- If you don't know or understand something, please don't hesitate to ask.
- Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
- Please DO NOT run any other tools or scans whilst I am helping you.
- It is important that you reply to this thread. Do not start a new topic.
- Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
- Absence of symptoms does not mean that everything is clear.
---------------------------------------------------------------------------------------------
=> Run Chrome > (http://fotkica.com/imgs2/256965_224774706_SNP_2696434_en_v1.png) > Settings
Under "On startup" part of options, check box for "Open a specific page or set of pages" and click "Set pages".
Under "Add new page" type: "www.google.com" and press Ok.
-----------------------------
Rootkit is killed. ZA is no more. But we need to check/repair the all damage caused by ZA rootkit.
We shall re-check with Combofix and therefor I wanna you tu run another Farbar tool named FSS
With FSS we shall check is there any damage caused by rootkit.
Scan with Combofix:
- Please download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
You may read how Combofix works here. (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
- When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
----- next -----
Please download Farbar Service Scanner (http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/) and run it on the computer with the issue.- Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center/Action Center
- Windows Update
- Windows Defender
- Press "Scan".
- It will create a log (FSS.txt) in the same directory the tool is run.
- Please copy and paste the log to your reply.
-
Sorry it took so long :/
Combofix took about an hour to scan whn I thought it will only last for 10 min. This makes me fear for the health of my laptop :(
I had issue disabling Avast despite doing exactly what was advised in teh links you posted. I right-clicked on it and disabled it for an hour but Combofix kept on saying that it wasnt disabled
-
All looks clean. How's your computer running now?
-
GREAT
GREAT
GREAT!!!
Thanks so much!! I could hug you right now. I was so distressed earlier toady you saved me! Thanks :-* :-* :-*
-
magna is probably in bed now...check back tomorrow and he will remove the tools used ;)
-
magna is probably in bed now...check back tomorrow and he will remove the tools used ;)
Good morning everyone.
Which tool do i have to remove and how ? :)
-
Now that your machine is clean and safe, I suggest you to change all your important passwords on your computer, from your bank accounts and stuff the like ...
First we need to remove FRST Quarantine.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
DeleteQuarantine:
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt).
Note: If the tool warned you about the outdated version please download and run the updated version.
--------- next ---------
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
--------- next ---------
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
------------------------------------------------------------------
I recommend you to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
Be safe. :)