This morning while scanning the system with Emsisoft Emergency Kit a threat was detected. Of course the program removed it.
After removing the threat I scanned the system additionally with Eset Online Scanner, Norton Power Eraser, Kaspersky - everything is clean.
Bitdefender did not see it.
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
Trojan.Qhost is Malwarebytes' generic detection name for malware that modifies the Windows system's hosts file.
blog.malwarebytes.com
Please run this scan and will see what if any some malware is present.
Also you Hosts file may have been compromised.
Download the Farbar Recovery Scan Tool (FRST). Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Please attach the logs for my review.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]
Do this for both files.
<<<>>>
Wait for further instructions
p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
Trojan.Qhost is Malwarebytes' generic detection name for malware that modifies the Windows system's hosts file.
blog.malwarebytes.com
Please run this scan and will see what if any some malware is present.
Also you Hosts file may have been compromised.
Download the Farbar Recovery Scan Tool (FRST). Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Please attach the logs for my review.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]
Do this for both files.
<<<>>>
Wait for further instructions
p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
Before you run this fix I need you to tell me if all the restrictions listed may have been set by a program you have executed.
The fix will not remove any of the files only the restrictions will be eliminated.
If you are OK with this then proceed. If not let me know before doing anything.
Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.
Run FRST and click Fix only once and wait.
The Computer will restart when the fix is completed.
It will create a log (Fixlog.txt) please post it to your reply.
===
Please post the Fixlog.txt and let me know what problem persists.
p.s.
If you run this fix I would appreciate if you could scan the computer one more time with the Farbar program and post fresh logs for my review.
Before you run this fix I need you to tell me if all the restrictions listed may have been set by a program you have executed.
The fix will not remove any of the files only the restrictions will be eliminated.
If you are OK with this then proceed. If not let me know before doing anything.
Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.
Run FRST and click Fix only once and wait.
The Computer will restart when the fix is completed.
It will create a log (Fixlog.txt) please post it to your reply.
===
Please post the Fixlog.txt and let me know what problem persists.
p.s.
If you run this fix I would appreciate if you could scan the computer one more time with the Farbar program and post fresh logs for my review.
New logs.
Write me if everything is ok now. At my place the laptop was working normally. EEK scan showed a threat. That's how I wouldn't even know.
I don't know what to say. I thought I would never catch a trojan.
Thank you for your help. Please let me know if everything is ok now
The fix went very well and the new logs are clean.
What can you tell me about all the files/folders that were restricted.
Many of the restricted files were in a \Temp folders such as ...AppData\Local\Temp\Temp
Are these files still there, some are .exe files such as:
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\LocalLow\*.exe <==== UWAGA
Can you write down the name of some of the files in that folder and post them in our next reply.
I suspect that these may be compromised files. Not sure.
Do not delete any of them until we have had a change to investigate further.
These seem strange:
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\Temp\Temp*_*.zip\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.exe <==== UWAGA
The Temp*_*.zip\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*.exe
\*\*\*... are names that you may recongnized as operating system folders.
After the \Temp folder there is an other folder call Temp*_*.zip the \and other folder marked with and asterik \*\ and an other \*\ etc...
%USERPROFILE%\AppData\Local\Temp\Temp*_*.zip
Can you see the name of the folder identified with *
Hey I have the option enabled: Show hidden files, folders and drives and I have no other files. I only have what is in the picture.
I'm about to take a screenshot of the Opera folder.
But there is nothing suspicious in that directory.
