Best Solution For DEEPTEEP Virus?

[SkilletSkool]

Hi.

I help one of my neighbors with their computer.  Recently I was cleaning up some installed apps they had accidentally clicke on and noticed something called DEEPTEEP.

Upon some investigation, I was able to find I is mostly a browser hijack (and a nasty one at that) but none of the sites I go to give much info to clean it except to download their own tool; none that I recognize as well known security product vendors.

One of the sites I did visit told me to use the browser cleanup took rfomr Avast yet their I cant seem to locate how to run the Avast clean up tool.  Also, DEEPTEEP had been preventing their Avast from updating as well and it took me a couple different tries to get their Avast updated.

Does anyone know of a good way to clean this browser hijack out from her computer without having to download some 3rd party tool?

[Asyn]

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

[SkilletSkool]

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

Thank you for the attention.  I was hoping to be pointed to a trusted article for proper removal since it is a well known virus, but I also understand it will help determine what other areas might be affected/infected.

I will do this as soon as I can, yet I will point out that it is frustrating to have to download another Antivirus/Malware tool, as well as creates a feeling that Avast is inferior to Malware Bytes  . 

I get the FRST tool as it is not an anti-virus/anti-malware tool.

I'll get back to you as soon as I can go to their location again.  I should be able to this week.

[Pondus]

I was hoping to be pointed to a trusted article for proper removal since it is a well known virus

Getting help from a malware expert is proper removal and much better then any "general" removal guide
And it is not a "virus" .... a virus is self replicating

I will do this as soon as I can, yet I will point out that it is frustrating to have to download another Antivirus/Malware tool, as well as creates a feeling that Avast is inferior to Malware Bytes

No security program have 100% detection or zero false positives

It is just like going to the Doctor, if the medicine you are using dont work the you have to try a New

And note: The two diagnostic logs from FRST are the important ones

[Michael (alan1998)]

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

Thank you for the attention.  I was hoping to be pointed to a trusted article for proper removal since it is a well known virus, but I also understand it will help determine what other areas might be affected/infected.

I will do this as soon as I can, yet I will point out that it is frustrating to have to download another Antivirus/Malware tool, as well as creates a feeling that Avast is inferior to Malware Bytes  . 

I get the FRST tool as it is not an anti-virus/anti-malware tool.

I'll get back to you as soon as I can go to their location again.  I should be able to this week.

Avast! and Malwarebytes serve two different functions. That's why MBAM will run along side AV products generally. So in some ways, yes, Avast! (and Norton, AVG, Kaspersky, McAfee etc) is inferior to Malwarebytes. Malwarebytes is a very common and powerful tool for end users to use. I run Malwarebytes for its ODS (On demand scanner) function, nothing else. FRST is not meant for end-users however. (Hence why when logs are posted, Sass Drake will pop by with instructions.

https://blog.malwarebytes.com/101/2015/09/whats-the-difference-between-antivirus-and-anti-malware/

I'd like to see how Avast! deals with something like a polymorphic virus - that'd be interesting to see.

[SkilletSkool]

That's probably the best description I've gotten over this.  Thanks!

As soon as I can get to my friends computer, Ill run both these as promised and return the results.

Thanks again for a basic, yet very informative description Michael!

[SkilletSkool]

Here are the logs from the infected computer.

I chose to Quarantine the items in Malware Bytes as it did not have the option to remove, only to quarantine.

Let me know the next best steps when you have had a chance to check them.

Thanks again!

EDIT:  Wanted to add the computer uses Avast Premier and while Farbar was doing its thing a warning dialog came up about the attempt Farbar was trying to make and I clicked on 'Allow App'

[SkilletSkool]

This is for a second device.   It is my neighbors computer and has nothing to do with my other post.

I have posted the logs requested.

[Pondus]

@SassDrake is notified ... it may take hours before he is online

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

Task: {9FEEFA8C-10BF-4E49-BD18-7459F23EB775} - System32\Tasks\Update_Deepteep => C:\Users\Merilyn\AppData\Roaming\AppSync\AppSync.exe
C:\Users\Merilyn\AppData\Roaming\AppSync
C:\Users\Merilyn\AppData\Roaming\ZUpdater
EmptyTemp:

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[SkilletSkool]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

Task: {9FEEFA8C-10BF-4E49-BD18-7459F23EB775} - System32\Tasks\Update_Deepteep => C:\Users\Merilyn\AppData\Roaming\AppSync\AppSync.exe
C:\Users\Merilyn\AppData\Roaming\AppSync
C:\Users\Merilyn\AppData\Roaming\ZUpdater
EmptyTemp:

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here are the results.

Off hand, when I first opened Farbar it said it was updating then closed and I had to restart it.  Is this normal for the program?

[Michael (alan1998)]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

Task: {9FEEFA8C-10BF-4E49-BD18-7459F23EB775} - System32\Tasks\Update_Deepteep => C:\Users\Merilyn\AppData\Roaming\AppSync\AppSync.exe
C:\Users\Merilyn\AppData\Roaming\AppSync
C:\Users\Merilyn\AppData\Roaming\ZUpdater
EmptyTemp:

• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here are the results.

Off hand, when I first opened Farbar it said it was updating then closed and I had to restart it.  Is this normal for the program?

Farbar is configured to automatically check for updates - so yes, that's completely normal.

[Sass Drake]

Tell me what is status now?

[SkilletSkool]

Since the instructions given were to only run the FIX tool, I did not try to uninstall the DEEPTEEP app in the Apps and Programs menu. 

I did attempt a search and it was still running through deepteep in the browser address bar.

I will try tomorrow and report if it uninstalls or not, or did you want me to re-run MB and Farbar scan?

[Sass Drake]

Please provide new MBAM and FRST logs.