Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is the Zeus Virus Gone from My Computer


  • This topic is locked This topic is locked
8 replies to this topic

#1 chembel

chembel

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:24 PM

Posted 20 November 2016 - 01:28 PM

I had the window that popped up and said "Windows detected Zeus Virus..." I went and searched the content and I ran the following programs:

 

RKill

TDSS Killer

AdwCleaner

Malwarebytes

and Malwarebytes again.

Farbar Recovery Scan Tool (x64) Version (Just the Scan, I did not fix anything)

 

I have attached the log files. I don't have the log file from TDSS Killer. Sorry.

 

It feels like there is still something in my web browser that is left over from this as it no longer goes to the original Home page that I had set.

 

Could someone look at this and tell me if it is gone?

 

Thank You

 

chembel

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 AM

Posted 21 November 2016 - 01:57 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove thiis process via the Control Panel > Programs > Programs and Features.
YourTemplateFinder Internet Explorer Homepage and New Tab (HKU\S-1-5-21-3076794075-2466250967-3951366124-1001\...\YourTemplateFinderTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3076794075-2466250967-3951366124-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/yourtemplatefinder/ttab02/index.html?n=782B6D26&p2=^BNF^xdm007^TTAB02^us&ptb=20861166-5305-41FF-9709-04687B6C9A56&si=CJqwt9CbtdACFQobaQodU_UJgQ&coid=4d9eb583f0b24f19a22b2f193c68ae20
Task: {1F48922B-547A-4B47-8200-533883FDEA2A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {2407029F-249D-46E1-BAF1-490D9CD3A683} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {50C132E6-21A2-429F-982F-4086E49DF627} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {63930F33-B7DB-44B6-B13B-036BD206EE54} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {6D85BF4E-D1C7-4539-AF6E-CB2ACB1C575A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {70EA9D98-0417-448D-A41E-33F76E8B7306} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {788BFFE0-3381-4E36-B719-BF4ABBAEA06C} - \WPD\SqmUpload_S-1-5-21-3076794075-2466250967-3951366124-1001 -> No File <==== ATTENTION
Task: {799E2827-DC50-4C50-A735-3856208A5B1F} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {8B08FF65-6C37-4CAA-9DA9-ADA0EA82C5AC} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {AD3D5BE1-6D25-43F9-A8ED-D6C005E9252B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {BAB69C91-CEDD-4091-9B20-2884559727D1} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {BEFBCEBC-F966-4C46-8A2E-BAC7764F4CBA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {C30C68D2-1F87-4D22-AA7F-FB891BAC7976} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {CF45AC39-5494-4567-9D5C-F84A539E400A} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 chembel

chembel
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:24 PM

Posted 21 November 2016 - 04:52 PM

Here is the log file.

 

The computer seems to be fixed.

 

I had some problems using the Programs and Features to remove the Your Template Finder program. I have attached the Error statement that it gave me. I used RevoUinstaller to do a Scan after the error and removed the files that it found.

 

Then when I restarted, I was still on the funky home page but IE asked to reset the home page to MSN and I said to allow. I restarted again and now everything seems to have been taken care of.

 

I kept getting an error from Windows saying I did not have Virus Protection. But now it seems to have stopped doing that. So I think everything is okay.

 

Thank you so much for your assistance!

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 AM

Posted 22 November 2016 - 09:23 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 chembel

chembel
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:24 PM

Posted 22 November 2016 - 10:18 AM

Yes,

 

All is well. I have read the guide and will try to keep it in mind as I am going along.

 

Thank you so much for your assistance. I really appreciate it. You can consider this topic closed.



#6 chembel

chembel
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:24 PM

Posted 29 November 2016 - 11:48 AM

Sorry about that, Nasdaq,

 

I replied in the messenger. Here is my reply from the Messenger.

 

Okay,

 

I was able to get it to start. I am not exactly sure how I did it but it eventually, after hard shut down and then trying to hit the Fn F8 keys as fast as I could at start up it actually booted back into windows.

 

So I took a stab and tried running these programs again:

 

Rkill

TDSS Killer

Malwarebytes

AdwCleaner

HitmanPro

 

I am replying on a different computer because right now I am running Sophos Endpoint Security and Control, which is her paid Antivirus Scanner. I don't want to be working on it right now.

 

I have attached the log files.

 

I did not run FARBAR. I can do that if you think it would be beneficial.

 

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 AM

Posted 29 November 2016 - 01:35 PM

Run the Farbar tool if you still have issues?

#8 chembel

chembel
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:24 PM

Posted 29 November 2016 - 02:04 PM

Honestly, I feel like I have it solved this time.

 

After running HitmanPro, I went in and did CCleaner, reset IE and cleared all of the stuff from Edge that I could select. It feels like it is solved. Again, I have gone over the procedures with her and let her know that she has to be really careful especially when searching for websites. Hopefully this is the last time you will hear from me about this computer.

 

Thank you again for all of your assistance.

 

chembel



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 AM

Posted 30 November 2016 - 08:37 AM


I suggest the installation of the HOSTS file from Winhelp2002

Blocking Unwanted Connections with a Hosts File
http://winhelp2002.mvps.org/hosts.htm

You can read about it before proceeding.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users