Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My antivirus cannot find whatever is downloading malware onto my computer.


  • Please log in to reply
6 replies to this topic

#1 Famardy

Famardy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 22 June 2013 - 02:23 PM

 Hello, and thanks in advance for whatever help you can give me. I read the posting guide so hopefully I can manage to give you enough information for whatever the next step in this should be. My OS is Vista.

 

The family computer got infected a few months ago and we used both Norton's and Malware Bytes to remove multiple viruses (someone made the unfortunate decision to download from a file sharing site). As time went by it became obvious that we didn't get everything, because every couple of weeks Norton's would catch and remove a new virus out of the blue, even if we weren't currently browsing the internet. It wasn't until yesterday that things started escalating, with the Norton's firewall catching and removing a new virus every 20 minutes or so. These are the names as defined by Norton.

 

Web Attack: Malicious Java Download 13 (qbz.massmedi.info/[very long extension]/jar)

 

Trojan.Zbot (ee04.tmp)

 

Suspicious.Pythia (abc.cfg)

 

Suspicious Pythia was removed twice and the Java virus was removed three times (I don't even have Java installed, as far as I know). The Java virus would put a little window popup (only the header) at the top of the screen before Norton's caught and removed it. After playing with it for a bit I disconnected from the internet, and am sending this over my sister's laptop.

 

Neither Norton's nor Malware Bytes nor Spybot can find the "parent" virus that is allowing these in, even though they're all updated and I did full scans. When I disconnect from the internet I will get the message "The webpage you requested is not available offline. To view this page, click connect." even though I am most certainly not attempting to view any page when this message occurs, and it will pop up seven to ten times before stopping once the internet is turned off. I'm assuming this is related to my problem(s).

 

I've exhausted all of my limited computer knowhow attempting to fix this, with no success. Any advice?



BC AdBot (Login to Remove)

 


#2 vulcain

vulcain

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:France
  • Local time:10:27 PM

Posted 22 June 2013 - 03:00 PM

Hello,
 
Personally, I will not make decisions because there are specialists here disinfection but at a possible internet connection, I would be you I would do a scan online kaspersky.
Use Internet Explorer as your browser
To avoid conflicts, turn off before your own antivirus scan
 
 
and if you can not have internet, make a start in safe mode with network to execute the scanner.
When you have a concern, make a online scan with kaspersky or another is a way to wreak havoc.
 
 in order to allow more flexible access to the Internet and to scan your computer by a specialist.

 

 

 
cordially

Edited by vulcain, 22 June 2013 - 03:03 PM.


#3 Famardy

Famardy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 23 June 2013 - 03:40 PM

I let the Kaspersky security scan run through the night, and this is what it found:

 

HEUR: Trojan.Win32.Generic

 

emachines-english oem-eula.exe

 

D:\i386]Apps\App002432\wtsetup-english.exe\

 

There are twelve such files like this, with the same Kaspersky definition and location in my D drive. The one difference is the executable name, which list different languages (for instance: emachines-french oem-eula.exe, emachines-german oem-eula.exe, and so on).

 

Any idea how I should go about removing it? It's in the recovery drive so I don't know how to get in there to remove it manually, and I don't know if it would be safe to do that anyhow. Thanks for the help so far. I'm one step closer to getting this fixed.


Edited by Famardy, 23 June 2013 - 03:40 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 PM

Posted 23 June 2013 - 10:38 PM

Hello, about this..
 

Infection
The Trojan.Zbot files that are used to compromise computers are generated using a toolkit that is available in marketplaces for online criminals. The toolkit allows an attacker a high degree of control over the functionality of the final executable that is distributed to targeted computers.

The Trojan itself is primarily distributed through spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized. The user may receive an email message purporting to be from organizations such as the FDIC, IRS, MySpace, Facebook, or Microsoft. The message body warns the user of a problem with their financial information, online account, or software and suggests they visit a link provided in the email. The computer is compromised if the user visits the link, if it is not protected.


Functionality
This Trojan has primarily been designed to steal confidential information from the computers it compromises. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information. This is done by tailoring configuration files that are compiled into the Trojan installer by the attacker. These can later be updated to target other information, if the attacker so wishes... Symantec Corp.

 
 
One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Edited by boopme, 23 June 2013 - 10:40 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Famardy

Famardy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 24 June 2013 - 09:53 PM

Thanks for the advice, and the documentation. My computer hasn't been connected to the internet since I initially disconnected, so I'm hoping that there's only a minimal chance that my data has been stolen. Even so, I'm changing all of my passwords and I'm having the family do the same (on a different computer, of course).

 

My hope is to try and disinfect it first, though depending on what is found in that process I may reformat, especially if that remains your recommendation. With that in mind, what's the next step?



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:27 PM

Posted 24 June 2013 - 10:26 PM

Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Famardy

Famardy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 25 June 2013 - 09:21 PM

I made the post in the appropriate forum with the requested information.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users