Infected by Win32 and trojan INI: Shortchut
Solved
Sakura01
Posted messages
334
Status
Membre
-
Sakura01 Posted messages 334 Status Membre -
Sakura01 Posted messages 334 Status Membre -
Hello,
It's been a while since I ran my antivirus at startup. Not good at all.
I have Avast!
I ran it and it immediately tells me that I'm infected by INI: Shortcut - Trj
What I find hard to understand is that it finds it in a bookmark link that I haven't touched in ages, via C:// Documents and settings / Administrator / Favorites / Bookmark name / Link name
The scan is not finished on my PC, I've requested that everything be quarantined.
What else should I do, please?
Avast! has never warned me!!!!
Thanks in advance. Have a good day.
Configuration: Windows XP / Firefox 25.0
It's been a while since I ran my antivirus at startup. Not good at all.
I have Avast!
I ran it and it immediately tells me that I'm infected by INI: Shortcut - Trj
What I find hard to understand is that it finds it in a bookmark link that I haven't touched in ages, via C:// Documents and settings / Administrator / Favorites / Bookmark name / Link name
The scan is not finished on my PC, I've requested that everything be quarantined.
What else should I do, please?
Avast! has never warned me!!!!
Thanks in advance. Have a good day.
Configuration: Windows XP / Firefox 25.0
13 réponses
Hello
You empty this quarantine.
And then you do this:
Download Dr Web CureIt on your Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Double click drweb-cureit.exe and then click on Scan;
- Click Ok on the quick scan prompt. If it finds infected processes then click the Yes button.
Note: a window will open with options for "Order" or "50% off": Exit by clicking the "X".
- When the quick scan is complete, click on the Options menu then Change configuration; Select the Scanner tab, and uncheck Heuristic analysis. Then click Ok.
- Back to the main window: click to enable Full scan
- Click the button with the green arrow on the right, and the scan will begin.
- Click Yes for everything at the Disinfect? prompt when a file is detected, and then click Disinfect.
- When the scan is completed, see if you can click on the icon adjacent to the detected files (several sheets on top of each other). If so, then click on it and then click on the Next icon below, and choose Move the unwanted object to quarantine.
- From the main menu of the tool, at the top left, click on the File menu and choose Save report. Save the report to your Desktop. It will be named DrWeb.csv
- Close Dr.Web CureIt
- Restart your computer (important as some files may be moved/repaired on restart).
- After the restart, post (Copy/Paste) the content of the Dr.Web report in your next reply.
@+
--
--------Security Contributor---------
We have all been beginners in something at one point.
But knowledge is the reward for diligence.
You empty this quarantine.
And then you do this:
Download Dr Web CureIt on your Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Double click drweb-cureit.exe and then click on Scan;
- Click Ok on the quick scan prompt. If it finds infected processes then click the Yes button.
Note: a window will open with options for "Order" or "50% off": Exit by clicking the "X".
- When the quick scan is complete, click on the Options menu then Change configuration; Select the Scanner tab, and uncheck Heuristic analysis. Then click Ok.
- Back to the main window: click to enable Full scan
- Click the button with the green arrow on the right, and the scan will begin.
- Click Yes for everything at the Disinfect? prompt when a file is detected, and then click Disinfect.
- When the scan is completed, see if you can click on the icon adjacent to the detected files (several sheets on top of each other). If so, then click on it and then click on the Next icon below, and choose Move the unwanted object to quarantine.
- From the main menu of the tool, at the top left, click on the File menu and choose Save report. Save the report to your Desktop. It will be named DrWeb.csv
- Close Dr.Web CureIt
- Restart your computer (important as some files may be moved/repaired on restart).
- After the restart, post (Copy/Paste) the content of the Dr.Web report in your next reply.
@+
--
--------Security Contributor---------
We have all been beginners in something at one point.
But knowledge is the reward for diligence.
Thank you, I will do that as soon as he is finished. For now, barely 30%!
That being said, should I still do it even though I just saw that he detected something else?
I'm actually super infected!!! I see that I have something in Internet Explorer, which I never use...................
I also have in Program Files / Internet Explorer / minftnet.exe infected by Win32: GibMedia - A [PUP]
And in System Volume Information/_restor/ (lots of numbers I didn't note everything) / A0148392.exe infected by the same win32!!!
Thank you very much.
That being said, should I still do it even though I just saw that he detected something else?
I'm actually super infected!!! I see that I have something in Internet Explorer, which I never use...................
I also have in Program Files / Internet Explorer / minftnet.exe infected by Win32: GibMedia - A [PUP]
And in System Volume Information/_restor/ (lots of numbers I didn't note everything) / A0148392.exe infected by the same win32!!!
Thank you very much.
Stop Avast and move on
Thank you
--
--------Security Contributor---------
We have all been a beginner at something at some point.
But knowledge is the reward for diligence.
Thank you
--
--------Security Contributor---------
We have all been a beginner at something at some point.
But knowledge is the reward for diligence.
Oops sorry, I just read your response. So Avast! is done :( I didn’t react sooner.
When I go into Quarantine, I don't find what I was supposed to have put today and no date from 2013. Should I empty it or not? Because I don't know where it went...
Thank you.
When I go into Quarantine, I don't find what I was supposed to have put today and no date from 2013. Should I empty it or not? Because I don't know where it went...
Thank you.
DrWeb has done the analysis....
It found an infection (if it is one?!), opposite there is Neutralize.
Below, it details the "threat" (adware I can't remember, related to softonic-something) with options for action (delete, move, allow).
Does "neutralize" mean your "Yes" in case of infection?
Should I continue then? :)
Sorry if I seem clueless for a different word :s thank you.
It found an infection (if it is one?!), opposite there is Neutralize.
Below, it details the "threat" (adware I can't remember, related to softonic-something) with options for action (delete, move, allow).
Does "neutralize" mean your "Yes" in case of infection?
Should I continue then? :)
Sorry if I seem clueless for a different word :s thank you.
Re
It's good.
Let's continue.
Download AdwCleaner (by Xplode) to your desktop.
Launch it, click on [Scan] and wait for the scan to finish.
Once the scan is complete, click on the [Clean] button.
Wait during the cleaning process. Read the message that appears, then click Ok. The PC will restart automatically and the report will open at the end of the reboot.
Post the report
Note: The report is also saved under C:\AdwCleaner[S1].txt
@+
--
--------Security Contributor---------
We have all been beginners at something at one point.
But knowledge is the reward of diligence.
It's good.
Let's continue.
Download AdwCleaner (by Xplode) to your desktop.
Launch it, click on [Scan] and wait for the scan to finish.
Once the scan is complete, click on the [Clean] button.
Wait during the cleaning process. Read the message that appears, then click Ok. The PC will restart automatically and the report will open at the end of the reboot.
Post the report
Note: The report is also saved under C:\AdwCleaner[S1].txt
@+
--
--------Security Contributor---------
We have all been beginners at something at one point.
But knowledge is the reward of diligence.
Uh, for the rest, I can't manage. Are you sure your explanation corresponds to DrWeb?
Because I don't have a Scanner tab... I don't have a checkbox for "heuristic analysis" or anything like that.
I have neutralized it, and it said it was done successfully. But I don't understand the rest of the process!! Yet I'm not that clueless!!
I have tabs named General, Actions, Exclusions, Log. With checkboxes like "Automatically apply actions on threats," "shut down the computer after...," etc.
Because I don't have a Scanner tab... I don't have a checkbox for "heuristic analysis" or anything like that.
I have neutralized it, and it said it was done successfully. But I don't understand the rest of the process!! Yet I'm not that clueless!!
I have tabs named General, Actions, Exclusions, Log. With checkboxes like "Automatically apply actions on threats," "shut down the computer after...," etc.
Here is the report. I don't really understand why that was removed.
I would have liked to understand why I was stuck on DrWeb...
# AdwCleaner v3.015 - Report created on 12/20/2013 at 17:25:28
# Updated on 12/10/2013 by Xplode
# Operating System: Microsoft Windows XP Service Pack 3 (32 bits)
# Username: Administrator - ELISE
# Executed from: C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option: Clean
***** [ Services ] *****
[#] Service Deleted: hshld
[#] Service Deleted: hsstrayservice
[#] Service Deleted: hsswd
***** [ Files / Folders ] *****
Folder Deleted: C:\Documents and Settings\All Users\Application Data\hotspot shield
Folder Deleted: C:\Documents and Settings\All Users\Start Menu\Programs\hotspot shield
Folder Deleted: C:\Program Files\hotspot shield
Folder Deleted: C:\WINDOWS\system32\hotspot shield
Folder Deleted: C:\Documents and Settings\LocalService\Application Data\hotspot shield
File Deleted: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z54fk1ul.default\invalidprefs.js
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted: HKLM\SOFTWARE\Classes\AddressBarSearch.SearchHook
Key Deleted: HKLM\SOFTWARE\Classes\AddressBarSearch.SearchHook.1
Key Deleted: HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted: HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9D5BD211-422C-4164-9298-BB4186A30F31}
Key Deleted: HKCU\Software\anchorfree
Key Deleted: HKCU\Software\hotspotshield
Key Deleted: HKLM\Software\hotspotshield
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\hotspotshield
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\hotspotshield
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702
-\\ Mozilla Firefox v26.0 (fr)
[ File: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z54fk1ul.default\prefs.js ]
*************************
AdwCleaner[R0].txt - [2176 bytes] - [12/20/2013 17:23:13]
AdwCleaner[S0].txt - [2138 bytes] - [12/20/2013 17:25:28]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2198 bytes] ##########
I would have liked to understand why I was stuck on DrWeb...
# AdwCleaner v3.015 - Report created on 12/20/2013 at 17:25:28
# Updated on 12/10/2013 by Xplode
# Operating System: Microsoft Windows XP Service Pack 3 (32 bits)
# Username: Administrator - ELISE
# Executed from: C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option: Clean
***** [ Services ] *****
[#] Service Deleted: hshld
[#] Service Deleted: hsstrayservice
[#] Service Deleted: hsswd
***** [ Files / Folders ] *****
Folder Deleted: C:\Documents and Settings\All Users\Application Data\hotspot shield
Folder Deleted: C:\Documents and Settings\All Users\Start Menu\Programs\hotspot shield
Folder Deleted: C:\Program Files\hotspot shield
Folder Deleted: C:\WINDOWS\system32\hotspot shield
Folder Deleted: C:\Documents and Settings\LocalService\Application Data\hotspot shield
File Deleted: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z54fk1ul.default\invalidprefs.js
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted: HKLM\SOFTWARE\Classes\AddressBarSearch.SearchHook
Key Deleted: HKLM\SOFTWARE\Classes\AddressBarSearch.SearchHook.1
Key Deleted: HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted: HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9D5BD211-422C-4164-9298-BB4186A30F31}
Key Deleted: HKCU\Software\anchorfree
Key Deleted: HKCU\Software\hotspotshield
Key Deleted: HKLM\Software\hotspotshield
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\hotspotshield
Key Deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\hotspotshield
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.6001.18702
-\\ Mozilla Firefox v26.0 (fr)
[ File: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z54fk1ul.default\prefs.js ]
*************************
AdwCleaner[R0].txt - [2176 bytes] - [12/20/2013 17:23:13]
AdwCleaner[S0].txt - [2138 bytes] - [12/20/2013 17:25:28]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2198 bytes] ##########
Re
Download Malwarebytes Anti-Malware here
https://www.malwarebytes.com/
* Install it (make sure to select "French"; do not change the installation settings) and update it.
* Study the tutorial to familiarize yourself with the program:
https://forum.pcastuces.com/sujet.asp?f=31&s=3
(that being said, it is very user-friendly).
Restart Malwarebytes by carefully following these instructions:
! Disconnect and close all running applications!
* Launch Malwarebytes. Under Vista, Seven, or Windows 8 (right-click the mouse "run as administrator")
*Proceed with an update
*Perform a scan termed "Complete"
--> Let the program run (and do nothing else with the PC during the scan).
--> At the end, click on "Show results".
--> Ensure all infected items are checked, then click on "remove selected".
Note: if you need to restart your PC to finish the cleaning, do it!
Post the saved report after removing the infected items (in the "report/log" tab of Malwarebytes, the most recent one)
@+
--------Security Contributor---------
We have all been beginners at something at one time.
But knowledge is the reward of diligence.
Download Malwarebytes Anti-Malware here
https://www.malwarebytes.com/
* Install it (make sure to select "French"; do not change the installation settings) and update it.
* Study the tutorial to familiarize yourself with the program:
https://forum.pcastuces.com/sujet.asp?f=31&s=3
(that being said, it is very user-friendly).
Restart Malwarebytes by carefully following these instructions:
! Disconnect and close all running applications!
* Launch Malwarebytes. Under Vista, Seven, or Windows 8 (right-click the mouse "run as administrator")
*Proceed with an update
*Perform a scan termed "Complete"
--> Let the program run (and do nothing else with the PC during the scan).
--> At the end, click on "Show results".
--> Ensure all infected items are checked, then click on "remove selected".
Note: if you need to restart your PC to finish the cleaning, do it!
Post the saved report after removing the infected items (in the "report/log" tab of Malwarebytes, the most recent one)
@+
--------Security Contributor---------
We have all been beginners at something at one time.
But knowledge is the reward of diligence.
It's done, nothing was detected.
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.12.20.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: ELISE [administrator]
12/20/2013 6:06:29 PM
mbam-log-2013-12-20 (18-06-29).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristic/Extra | Heuristic/Shuriken | PUP | PUM
Scan options disabled: P2P
Item(s) scanned: 332919
Elapsed time: 2 hour(s), 27 minute(s), 19 second(s)
Memory processes detected: 0
(No harmful items detected)
Memory module(s) detected: 0
(No harmful items detected)
Registry key(s) detected: 0
(No harmful items detected)
Registry value(s) detected: 0
(No harmful items detected)
Registry data item(s) detected: 0
(No harmful items detected)
Folder(s) detected: 0
(No harmful items detected)
File(s) detected: 0
(No harmful items detected)
(end)
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.12.20.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: ELISE [administrator]
12/20/2013 6:06:29 PM
mbam-log-2013-12-20 (18-06-29).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristic/Extra | Heuristic/Shuriken | PUP | PUM
Scan options disabled: P2P
Item(s) scanned: 332919
Elapsed time: 2 hour(s), 27 minute(s), 19 second(s)
Memory processes detected: 0
(No harmful items detected)
Memory module(s) detected: 0
(No harmful items detected)
Registry key(s) detected: 0
(No harmful items detected)
Registry value(s) detected: 0
(No harmful items detected)
Registry data item(s) detected: 0
(No harmful items detected)
Folder(s) detected: 0
(No harmful items detected)
File(s) detected: 0
(No harmful items detected)
(end)
Re
We clean and finalize.
Download DelFix from Xplode
Run it.
You have 5 choices:
Reactivate UAC
Remove disinfecting tools (checked by default)
Create a backup of the registry
Purge system restore
Factory reset
You check the ones that are in bold
and you execute
The report is usually found here
C:\DelFix.txt
The rest of the security: http://forum.malekal.com/comment-securiser-son-ordinateur.html
@+
--
--------Security Contributor---------
We have all been a beginner at something at one time.
But knowledge is the reward of diligence.
We clean and finalize.
Download DelFix from Xplode
Run it.
You have 5 choices:
Reactivate UAC
Remove disinfecting tools (checked by default)
Create a backup of the registry
Purge system restore
Factory reset
You check the ones that are in bold
and you execute
The report is usually found here
C:\DelFix.txt
The rest of the security: http://forum.malekal.com/comment-securiser-son-ordinateur.html
@+
--
--------Security Contributor---------
We have all been a beginner at something at one time.
But knowledge is the reward of diligence.
# DelFix v10.6 - Report created on 12/20/2013 at 20:46:42
# Updated on 11/11/2013 by Xplode
# Username: Administrator - ELISE
# Operating System: Microsoft Windows XP Service Pack 3 (32 bits)
~ Removal of disinfecting tools ...
Deleted: C:\AdwCleaner
Deleted: C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
Deleted: C:\Documents and Settings\Administrator\Desktop\drweb-cureit.exe
Deleted: HKLM\SOFTWARE\AdwCleaner
~ Purge of system restore ...
Deleted: RP #1043 [System Restore Point | 12/05/2013 19:21:52]
Deleted: RP #1044 [System Restore Point | 12/06/2013 19:41:42]
Deleted: RP #1045 [System Restore Point | 12/08/2013 10:00:21]
Deleted: RP #1046 [System Restore Point | 12/09/2013 12:08:15]
Deleted: RP #1047 [System Restore Point | 12/10/2013 12:16:10]
Deleted: RP #1048 [System Restore Point | 12/11/2013 18:15:46]
Deleted: RP #1049 [Software Distribution Service 3.0 | 12/11/2013 19:52:45]
Deleted: RP #1050 [System Restore Point | 12/13/2013 10:04:47]
Deleted: RP #1051 [Software Distribution Service 3.0 | 12/13/2013 22:08:07]
Deleted: RP #1052 [System Restore Point | 12/15/2013 12:22:11]
Deleted: RP #1053 [System Restore Point | 12/16/2013 17:35:35]
Deleted: RP #1054 [System Restore Point | 12/18/2013 12:21:36]
Deleted: RP #1055 [System Restore Point | 12/19/2013 19:29:53]
New restore point created!
########## - EOF - ##########
There you go, everything is clean apparently. Thank you very much.
# Updated on 11/11/2013 by Xplode
# Username: Administrator - ELISE
# Operating System: Microsoft Windows XP Service Pack 3 (32 bits)
~ Removal of disinfecting tools ...
Deleted: C:\AdwCleaner
Deleted: C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
Deleted: C:\Documents and Settings\Administrator\Desktop\drweb-cureit.exe
Deleted: HKLM\SOFTWARE\AdwCleaner
~ Purge of system restore ...
Deleted: RP #1043 [System Restore Point | 12/05/2013 19:21:52]
Deleted: RP #1044 [System Restore Point | 12/06/2013 19:41:42]
Deleted: RP #1045 [System Restore Point | 12/08/2013 10:00:21]
Deleted: RP #1046 [System Restore Point | 12/09/2013 12:08:15]
Deleted: RP #1047 [System Restore Point | 12/10/2013 12:16:10]
Deleted: RP #1048 [System Restore Point | 12/11/2013 18:15:46]
Deleted: RP #1049 [Software Distribution Service 3.0 | 12/11/2013 19:52:45]
Deleted: RP #1050 [System Restore Point | 12/13/2013 10:04:47]
Deleted: RP #1051 [Software Distribution Service 3.0 | 12/13/2013 22:08:07]
Deleted: RP #1052 [System Restore Point | 12/15/2013 12:22:11]
Deleted: RP #1053 [System Restore Point | 12/16/2013 17:35:35]
Deleted: RP #1054 [System Restore Point | 12/18/2013 12:21:36]
Deleted: RP #1055 [System Restore Point | 12/19/2013 19:29:53]
New restore point created!
########## - EOF - ##########
There you go, everything is clean apparently. Thank you very much.