Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on September 01, 2016, 04:44:16 PM

Title: Worm.Rontok
Post by: REDACTED on September 01, 2016, 04:44:16 PM

I need help. After I scanned with Malwarebytes it found thousands of detected files with type of .tmp or something. It is described as Worm.Rontok in MBAM and they take up alot of space. Just this week, I found my harddrive :c to be 72 mb. Also, trying to scan with malwarebytes is not working. after time, it will crash and the laptop will suddenly shut down. I paused 1/4 of the scan just to get 100000 files cleaned.. So in these circumstances, I wasn't able to produce txt logs with malwarebytes but here are the others.

Title: Re: Worm.Rontok
Post by: Eddy on September 01, 2016, 05:17:16 PM

Trajce,
you are not allowed to help with things like this.
Only the listed malware removers are.
https://forum.avast.com/index.php?topic=53253.0

Zayday,
let Mbam finish and than create new logs with Farbar.
Attach the Mbam log and the  new Farbar logs to your next post here.

Title: Re: Worm.Rontok
Post by: Pondus on September 01, 2016, 06:34:08 PM

Did you recive this after opening a mail or using a usb stick ?

Your adressbook may be compromised now

Title: Re: Worm.Rontok
Post by: Michael (alan1998) on September 01, 2016, 09:07:50 PM

Quote from: Pondus on September 01, 2016, 06:34:08 PM

Did you recive this after opening a mail or using a usb stick ?

Your adressbook may be compromised now

Guessing email, he has MCShield which should have picked a worm up.

Title: Re: Worm.Rontok
Post by: REDACTED on September 02, 2016, 06:10:31 AM

Here are the logs. Thank you!!!

Title: Re: Worm.Rontok
Post by: dbrisendine on September 02, 2016, 07:36:49 AM

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

QuickTime 7
Free YouTube Downloader Converter
Social2Search
SweetIM for Messenger 3.3
SweetIM Toolbar for Internet Explorer 3.9
SyQic Yoonic Engine - PLDT Watchpad
Yahoo! Messenger
Yahoo! Search Protection

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. 

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

(https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) Fix with Farbar Recovery Scan Tool

(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) This fix was created for this user for use on that particular machine. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)
(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) Running it on another one may cause damage and render the system unstable. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on (https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Also, tell us how your system is running now.  Thanks.

Title: Re: Worm.Rontok
Post by: REDACTED on September 02, 2016, 12:14:25 PM

I can't seem to uninstall these programs:

Free YouTube Downloader Converter (Keeps saying that file is not an application or something)
Social2Search (No response after clicking uninstall)
SweetIM for Messenger 3.3 (msi file missing)
SweetIM Toolbar for Internet Explorer 3.9 (account already existing(?) it opens the IE for no reason)

Should I proceed with the fix?

Title: Re: Worm.Rontok
Post by: dbrisendine on September 02, 2016, 07:22:22 PM

Yes; if the uninstalls don't function properly, move on to the rest of the fix / cleaning.

Title: Re: Worm.Rontok
Post by: REDACTED on September 03, 2016, 02:52:41 AM

The system restarted fine, it asked me to do a disk check up but I postponed it. It runs fine and no problems so far. Frequent lags (which i think is normal because the system is a bit old) and the disk space in drive :C increased a little. From the free space of 61 gb somethiong, it decreased, 58 gb.

Title: Re: Worm.Rontok
Post by: dbrisendine on September 03, 2016, 03:48:43 AM

I would recommend you run the disk check scan.  Also, let's check for any other adware before moving on....



AdwCleaner by Xplode

Download AdwCleaner from here (http://www.bleepingcomputer.com/download/adwcleaner/) or from here (https://toolslib.net/downloads/viewdownload/1-adwcleaner/). Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

• Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  You will see the following console:
  
  (http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v5016_zpsf8ln0fea.png)
• Click the Scan button and wait for the scan to finish.
• After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
• Click the Clean button.
• Everything checked will be deleted.
• When the program has finished cleaning a report appears.
• Once done it will ask to reboot, allow this

(http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg)

• On reboot a log will be produced; please attach that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt
  
  Optional:
  
  NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why (http://www.im-infected.com/hijacker/isearch-avg-comsearch-hijacker.html) and Here (http://nojesusnopeas.blogspot.com/2012/08/sorry-but-avg-secure-search-is-malware.html). You can always Reinstall (http://www.avg.com/us-en/secure-search) it.

Title: Re: Worm.Rontok
Post by: REDACTED on September 04, 2016, 07:00:37 AM

After clicking the clean, adwcleaner soon stopped responding. Should I just wait for it?

Title: Re: Worm.Rontok
Post by: dbrisendine on September 04, 2016, 08:06:45 PM

AdwCleaner should have made a log file in the C:\AdwCleaner directory (depending on where in the process it encountered the hang)..  It would be AdwCleaner[S#].txt for the scan, whereas AdwCleaner[C#].txt would be the cleaning log.  Can you see if there is a log of either one there and post it (both would be nice also)?