Author Topic: Serious 'Trojan' issue  (Read 4311 times)

0 Members and 1 Guest are viewing this topic.

CCV

  • Guest
Serious 'Trojan' issue
« on: December 29, 2013, 09:29:38 AM »
Some, now unidentifiable so-called, "Trojan" was detected on my last weekly scheduled scan.
Fine, so far..
Following recommendation to restart and do boot scan, I find now ALL MY DOCUMENTS AND SETTINGS ARE GONE.

I'd like to give more info, but can't locate avast! log or quarantine files atm. Help, please!

Did System Restore for a couple days back - doesn't help.

Is it 'ironic' or just dumb luck that I installed Comodo firewall (as an 'extra layer of security') the other day?
« Last Edit: December 30, 2013, 02:47:19 AM by CCV »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: Serious 'Trojan' issue
« Reply #1 on: December 29, 2013, 09:40:28 AM »
have you used a infected USB stick?


start a new topic in virus and worms forum section  ....here   http://forum.avast.com/index.php?board=4.0

follow instructions and attach (not copy and paste) the requested logs  http://forum.avast.com/index.php?topic=53253.0

we need Malwarebytes / OTL / aswMBR logs

when done removal experts will be notified and help you....



CCV

  • Guest
Re: Serious 'Trojan' issue
« Reply #2 on: December 30, 2013, 02:46:07 AM »
Thanks Pondus, will do.

To answer your question: No, I haven't used a USB stick of any description (probably ever) - nor, indeed, any different USB attached device nor any removable media for quite some time.

Also, found the Chest and Scan Log I wanted. They are accessible from the main Scan page.
Why it seemed important to me is I remember seeing a file associated with Documents and Settings being deleted after applying Fix Automatically. It was my NTUSER.DAT - and there's my problem. Didn't actually lose Documents (except a few on Desktop), just not available via Start Menu now.
The Quarantined items are (identical) Registry keys from two different Restore Points. Seems to me that is the only place I find malware lately.

CCV

  • Guest
Re: Serious 'Trojan' issue
« Reply #3 on: December 30, 2013, 03:47:35 AM »
Something I never noticed before is three folders, in Documents and Settings, having names related to My Computer Name. Each one of those also contains a copy of ntuser.dat, each of which is infected with the same thing.

I'm awaiting advice on log results before taking any action, tho.

jwoods301

  • Guest
Re: Serious 'Trojan' issue
« Reply #4 on: December 30, 2013, 04:19:10 AM »
Each account (including LocalService and NetworkService) has their own NTUSER.DAT registry file, so that is normal.

I would recommend downloading Malwarebytes free and running a Full Scan.

http://www.malwarebytes.org/

CCV

  • Guest
Re: Serious 'Trojan' issue
« Reply #5 on: December 30, 2013, 06:49:40 AM »
Thanks. Yes I can see several instances of ntuser.dat which do scan clean and are linked to my user account, and are kinda default like a new Windows install by the looks.
Btw, I have only one user account on this machine.

The infected files are in folders I've never seen before - named, like "Me.Computer Name" and the same again with .0000 and .0001 tacked on the end. They appear identical to the one which was deleted, judging by the date (and size).

Fwiw, Malwarebytes (using scan individual file option) doesn't find a threat where avast! does.
Besides, I need to wait for advice before running any cleaning program.

jwoods301

  • Guest
Re: Serious 'Trojan' issue
« Reply #6 on: December 30, 2013, 07:10:27 AM »
There are service accounts, as well as user accounts, on a Windows system...each has their own copy of NTUSER.DAT

I would be surprised to hear that Malwarebytes did not detect known malware...it is certainly possible, but I have used it successfully for many years.

You didn't give the full name of the "trojan" that was discovered by Avast.

Try uploading and scanning one of the "infected" files on VirusTotal.com and see what the result is...

https://www.virustotal.com/en/

This might be a false positive.

« Last Edit: December 30, 2013, 07:55:00 AM by jwoods301 »

CCV

  • Guest
Re: Serious 'Trojan' issue
« Reply #7 on: December 30, 2013, 08:51:07 AM »
"Known" malware depends on progam's database. Why I use MBAM and SAS in conjunction with avast! - have for years too.

On Virustotal it is ONLY avast! identifies it. Makes wonder if it isn't a FP.
Had a prompt to update Silverlight the other day. Wondering if that was the source, and/or if it was legit.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: Serious 'Trojan' issue
« Reply #8 on: December 30, 2013, 11:04:44 AM »
Quote
Fwiw, Malwarebytes (using scan individual file option) doesn't find a threat where avast! does.Besides, I need to wait for advice before running any cleaning program.   
Advice/help cant be given before we have the logs requested ..... the malware experts need to see whats in there before they can do anything

CCV

  • Guest
Re: Serious 'Trojan' issue
« Reply #9 on: January 02, 2014, 09:57:03 AM »
Yes, well..
Shouldn't've posted here in the first place. Sorry, it turned out to be a false alarm anyway.
(I was tired, worried and it was late and I just went for the first Help/Forum link I could find.) Besides, I did ask for help in locating log and chest files yet received none.

If you really need to know:
The 'virus' was identified as THIS