Trojan.Zapchast.131584

[rdmaloyjr]

Bit Defender found Trojan.Zapchast.131584 on my computer.  Bit Defender couldn't disinfect or move it.  Avast doesn't detect it.  Ewido doesn't detect it.  here is the location given by Bit Defender:  C:\RECYCLER\S-1-5-21-3895149624-824023418-3409356266-1006\Dc18.exe=>(NSIS o)=>lzma_nsis0006   Infected Trojan.Zapchast.131584

The only info on the web that I can find is at http://www.antiviruslab.com/description.php?virus=257037&lang=gb

How do I get rid of it?  Will Avast soon be able to detect & remove it?

[polonus]

Hi rdmaloyjr,

Your system is compromised by a dangerous open source rootkit trojan, so it seems, that has changed the kernel (Fu)  For everybody on the internet, leave the internet, maybe the thing left to you is formate your system and reinstall.  Save your data on an image disk first. If you want to try something different first get flister from
http://invisiblethings.org/tools.html and unzip and scan in safe mode. Then rescan your system, but go off-line your computer maybe in third hands. If flister cannot find anything it may be dedrun, which is a low impact virus. You can update the file to jotti scanner.

polonus

[kamulko]

Sorry Polonus, I wrote at the same moment when you were posting: I didn't see it first

ADDED: you can also surf to www.sysinternals.com and download RootkitRevealer

Hei, Friend Polonus, this girl  Joanna Rutkowska has a great knowledge and... she's veeeery pretty! 

[FreewheelinFrank]

Hi rdmaloyjr,

The Trojan is hiding in your rubbish bin! (Recycle Bin)

The solution is too make sure you empty the Recycle Bin for each user on your computer. If this doesn't work, please manually delete the folder C:Recycler as described in this link.

http://forums.aspfree.com/archive/t-39154/Crecycler

I see nothing in your post that suggests you have a rootkit on your system: more likely a new variant of the Trojan. If you are familiar enough with computers, you could submit the file to Jotti's Scanner.

Edit: OK, I see why Polonus was concerned. Kaspersky uses Zapchast as an alias of the FU rootkit. On the other hand, McAee use Zapcast as the name of a low risk Trojan dropper. It would be good to know what we are dealing with here, so a Jotti scan would be highly desirable!

http://virusscan.jotti.dhs.org/

If It is detected as malware by other programs but not avast!, please submit it to avast! for analysis. Send the file to virus@avast.com, with a short explanation in a password protected Zip file: password virus.

[FreewheelinFrank]

I found another solution to this problem on Experts' Exchange. (Here the file dc18.exe was detected as adware by Norton.)

When I run NAV it displays a file "Dc18.exe"  I'm unable to locate that file and NAV is unable to delete it.  Under Item Information, it says The file C:\RECYCKER\S-1-5-21-1229272821-1604221776-725345543-1003\Dc18.exe is a Adware threat.

1. Restart ur machine in safemode and Login as Administrator
2. Goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files and untick Hide Protected Operatign System Files
3. Open C: drive, can you see a Recycler folder here, open it
4. You must see some hidden recycle bins here, open each bin one by one and delete all the files present in them
5. After that run Norton scan again in safemode and delete anything it detects
6. Restart in normal mode and check for the problem now

Thank you, your suggestion worked perfectly

http://www.experts-exchange.com/Security/Bugs_Alerts/Q_21238666.html

This makes me think you're probably not dealing with a rootkit here. 

[polonus]

Hi FreewheelinFrank,

Thank you for your second opinion. If it is really the not that virulent one, this trojan you meant, it is low risk and easy to be removed. I would advise our friend, rdmaloyjunior, to install the free version of a-square and scan with a-suared start center to have a way of scanning his whole system for trojans, it is complementary and good, lest you update it regularly.

Have a nice day,

polonus

[polonus]

Hi FreewheelinFrank,

I delved further into this thing and came up with this listing from the VIRUSPOOL. If the conclusion is right, and we have it from rdmaloyjunior that the zapchast trojan was found by Bitdefender, we can come to this list here: called  Backdoor IRC Zapchast by Bitdefender, Flooder Program by H+BEDV Antivirus, IRC Showdown by Panda Software, Trojan Irc.Zapchast by MKS_VIR, DR/PSW.Zapchast12 by AVIRA Desktop for Unix

There you can conclude what category we have here FreewheelinFrank.

greets,

polonus

[FreewheelinFrank]

An interesting link there Polonus, from a compatriot of yours, I believe? A useful tool for comparing names given to a virus...

I guess we'll have to wait and see what Jotti says about the file. Interstingly, Bitdefender doesn't have any information about Zapchast on its site. Even at Viruspool it seems impossible to find an exact match, although an IRC Trojan seems most likely as you suggest.

Touch wood clearing out the Recycle Bin should get rid of it!

[polonus]

Hello FreewheelinFrank,

I am interested too in what we will get as a result actually. I for one now think with the showdown and flooder names that it is a script to flood other irc gamers, in that case it is quite harmless to the own OS but not so friendly to a competitor.

This is a good advice to people who have been warned by their AV program that an infected file has been found?
Open up a text editor like notepad and type detailed answers to the next questions according to the 10 steps proposed.
1. How was it detected. What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
2. What was the source of the file, where did the file come from.: address, URL, source.
3. When was it downloaded or received?
4. What is the exact file name with extension.
5. What was the exact wording of the message that the AV program message came up with? This is important.
6. Now go back and do nothing. Scan the particular file again with your AV product.
   If the message is not in the same wording or the scan does not turn up anything this could be a  false positive.
7. Check with an online scanner or update to jotti for a second opinion.
8. Go get informed ask a Virus Encyclopedia or Virus Central, put a question on a forum.
9. Make an informed decision on the basis of what you have found.
10. Inform others about what you have learned, if the file came from a reliable source,
programmer etc. send a friendly e-mail with your findings. This will help us all.

Keep up the good work,

regards,

polonus

[rdmaloyjr]

Thank you FreewheelinFrank! 

I wasn't sure recycler & recycle bin were the same.  I deleted the contents of my recycle bin and then ran Bit Defender again.  This time the scan came up clean!

I probably should've sent the file to Avast, but I don't know how to.  I did try to scan with Jotti, but I hit browse & couldn't find the file.

Ewido is supposed to have much better detection than A-squared so I didn't bother to download A2 as ewido couldn't detect Trojan.Zapchast.131584.

It looks as though it is a good idea to have Bit Defender Free (scan only) along with Avast. 

[FreewheelinFrank]

Polonus,

I think you should put your suggestions in a new topic so everybody can comment: the end result could perhaps become a sticky thread because there are a lot of people just saying 'I've got a virus, please help!' when they post a problem.

FF