Computer Help forum

Question

How do I get rid of this threat on my computer

Hello,
I was surfing on the Net searching for subtitles on Firefox. I downloaded it thru a installer (.exe) but when the download was complete Avast warned me there was a threat detected.
I run Avast and nothing cane up. I removed the whole executive installer. I run Spybot&Destroy and removed some infected 'cookies' but nothing changed. So I tried to open again Firefox from the task bar and it automatically didn't open and opened a new window with a fake homepage 'chrome starter. ru'
I tried to un'installazione Firefox and its been removed truly but the Firefox icon and the task bar is still there! If I check it's location it says C/Program Files x86/Firefox.exe ... but that doesn't exist!!!!
How can I get rid of it?!?

Thank you in advance

Discussion is locked
You are posting a reply to: How do I get rid of this threat on my computer
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: How do I get rid of this threat on my computer
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Clarification Request
typos

In reply to: How do I get rid of this threat on my computer

- searching for subtitles FOR A MOVIE
- I run Avast and nothing CAME UP.
- I tried to UNINSTALL Firefox and its been removed truly but the Firefox icon and the task bar ICON is still there! If I check ITS location.

Collapse -
Try Grif'a advice at link.

In reply to: typos

Collapse -
Clarification Request
clarification for the fake Firefox icon

In reply to: How do I get rid of this threat on my computer

THE PATH OF THE LOCATION IN PROPERTIES IS
C/Program Files (x86)/Mozilla Firefox/firefox.bat

And it's a WINDOWS BATCH FILE.

What should I do??!

Collapse -
Give machine details and OS so members can offer help.

In reply to: clarification for the fake Firefox icon

Dafydd.

Collapse -
Machine details and OS

In reply to: Give machine details and OS so members can offer help.

Laptop Compaq
Windows 7 Ultimate SP1 (64bit)
Firefox browser

Collapse -
Re: icon

In reply to: clarification for the fake Firefox icon

You can delete shortcuts, and create new ones as you wish.
A shortcut that points to something that doesn't exist (the firefox one), doesn't work of course.

The correct link to the Avast Safe Browser is "C:\Program Files\AVAST Software\SZBrowser\launcher.exe". if that file is still present, just make a new shortcut to it.

If you uninstall Firefox, don't forget to delete the Firefox profiles in your Appdata-folders. Otherwise you risk that after re-installing it just uses the old profile that you didn't like.

For Avast, you can consider to uninstall and reinstall it after deleting its folders that the aren't deleted by the uninstall (that is everything created by the program later).

Or (even easier), just go back to your latest image backup. In cases like this it's really pleasant to have one. Don't you make them?

Collapse -
RE: shortcuts

In reply to: Re: icon

I know that I can create shortcuts and/or delete whenever I want but the problem is that the shortcut on my desktop addresses to a fake location.
C:/Program Files (x86)/Mozilla Firefox/firefox.bat

The REAL Firefox has already been uninstalled. Actually I don't know where to look for this path because the 'Mozilla Firefox' folder into the Program Files does not exist anymore.

I have searched jn the Mozilla help forum and I have been told I should delete the 'Firefox. bat' part from the path and put the real path AFTER re-istalling Firefox.
Will that solve my problem? So easily?
TBH I don't think so, otherwise the advice suggested in this forum is useless (running Rdkill, antispyware, malwarebytes, unhide.exe)....that seems a lot!

Please tell me if I just need to reinstall the programs and edit the fake paths of the fake shortcuts so that it'll become a SECOND shortcut for the real program and then merely delete it.
Will that solve my problem?

Or there is a malate into my computer that needs to be removed??!

Collapse -
typo

In reply to: RE: shortcuts

Or there is a MALWARE....

Collapse -
Clarification Request
avast safe zone browser

In reply to: How do I get rid of this threat on my computer

Also the avastsafezone browser is infected I guess.
the path ends always with 'launcher.bat'

Collapse -
Use Grif's advice.

In reply to: avast safe zone browser

Follow it properly and you should be OK. Do you have backups and restore media?
Dafydd.

Collapse -
Bat files

In reply to: Use Grif's advice.

I re installed firefox now but havent JUST YET tried the explanation in the link provided.
I just want to let you know that the THREE .bat files (fake firefox and fake avastsafezone AND fake Internet explorer) are as if they are installed! I can see them in the 'All programs' list from the Start Button.
But when I try to search for the location or doesn't exist.
What do you think?
Anyway, I'll follow the steps provided in the link.

Thanks and hope to get a detailed answer please Happy

Collapse -
Re: .bat files

In reply to: Bat files

That's highly unusual indeed.

How do you know they are .bat files? What is their size, what it their content? A real batch file is small (less than a few kB), can be opened in Notepad and contains readable text then.
Are there .exe files also? Do those look OK (size and properties)? Do they work?

Let's start with Firefox, that you just installed. Set Explorer to NOT hide extensions of known filetypes to see the extensions.

You didn't answer Dafydds question "do you have backup and restore media".

Collapse -
Answer

In reply to: Re: .bat files

Okay so....
i do not have backup or restore media.
I unchecked the 'hide file extension for known files' and there is NO extension near the fake Firefox and fake Avast Safezone browser.
They are just shortcuts. The shortcuts are just "connections" on the desktop of programs installed on the computer ....
I went into the Properties of these shortcuts:

Firefox shortcut:
Firefox
Target type: Windows Batch file
Target location: Mozilla Firefox
Target: "C:/Program Giles (x86)/Mozilla Firefox/ firefox.bat"

Start in:
"C:/Program Giles (x86)/Mozilla Firefox"
Run: Minimised

The shortcut icon was the same of the real firefox icon (that's a fox and a blue background).
When I uninstalled the real Firefox the image icon of the fake Firefox shortcut has DISAPPEARED and became a white and green rectangular as icon image.

- - - - - - - - - -

As for the Avast Safezone Browser has ALWAYS been a white-and-green rectangular icon.

Avast Safezone Browser
Target type: Windows Batch File
Target location: SZ Browser
Target: "C:/Program Files/AVAST Software/SZBrowser/launcher.bat"

Start in:
"C:/Program Files/AVASTSoftware/SZBrowser"

Run: Minimised

- - - - - - -
I tried (in both the shortcuts) to open the different tabs in the Properties window (Options, Font, Layout and so on....) but it tells me there is an error and it's not possible to check it.

Both of these 'white-and-green rectangular' are in my All programs list! As if they are installed but they are "unknown applications" and can't be opened. Usually the green-and-white rectangular refers to applications that cannot be opened.

- - - - - -
I DID ALL THE STEPS AND SOME THREATS WERE FOUND AND REMOVED (Tweakbits for example) BUT THOSE SHORTCUTS ARE STILL ON MY DESKTOP AND PROGRAMS LIST!!!!!!
I do NOT want to open them.....should I just put them in the Bin?!
I really don't know what to do!!!
The threats were detected in MalwareBytes and SUPERANTISPYWARE in the registry and folders. NO SHORTCUTS threats found!

Rkill has detected nothing about threats.
I will show you the Rkill.txt in the next post.

Help please....thanks!

Collapse -
Re: Answer

In reply to: Answer

Not really OK.

I wasn't asking about the properties of the shortcuts. Those have a .lnk extension, that you don't see in Explorer, but only in CMD (dir command), and a target (the file they open if you click them). You already told about them in earlier posts.

I was asking instead about the files in the folder of the program in Program Files or Program Files (x86).
For example: can you see Firefox.exe in C:\Program Files (x86)\Mozilla Firefox? What size, what details in the properties? The firefox.exe file with me is 383 kB. Van you run it? Can you make your own shortcut to it? Does that shortcut work?

Collapse -
answer 2

In reply to: Re: Answer

Ok so....Idk how to attach pictures here anyway I'll explain it with my own words.

There is a real Firefox shortcut (firefox.exe). It redirects to the real firefox location and the real firefox.exe.
It works perfectly. It is big 383 kb as you had said.
Perfectly normal.
Actually the name in the real shortcut us 'Mozilla Firefox' and not just 'firefox' .....so that's the difference between the real shortcut (Mozilla forefox) and the fake one (firefox).
- - - - - - - - -

Going into the Mozilla Forefox folder (which is in the program files x86) I can't see the bat file.... I even enabled the 'show hidden files' but nothing shows up with that name or extension. The same with the avast safe browser.exe. Also with this program, the real exe file exists, I can run it, it redirects to the right page and I can create a shortcut that works too. Again, even here, I can't find the fake bat launcher. It just doesn't exist.

ANYWAY, CHECKING THE SUZE OF THE SHORTCUT'S.

The real Firefox shortcut is 1.08 KB.
The FAKE Firefox shortcut is 2.44 KB

The FAKE avast safezone browser shortcut is 1.95 KB.
- - - - - - - - -

What keeps me worried is that these two fake shortcut's are running minimised. What I'd I run them in normal window or maximised? What would happen?!

Moreover, the fake Firefox shortcut has been automatically pinned to the task bar (near the start button) so I think it should be located by default in
"%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" isn't it?
Let me check on that.... I can't find the Quick Launch folder. To be honest I don't know where my pinned items are located. Is there a way?

Thank you....

Collapse -
CLARIFICATION (Edit)

In reply to: Re: Answer

I found the pinned items location.

Code:
C:\Users\(User-Name)\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

I can see the shortcuts pinned to the task bar. Among them obviously there is also the Firefox fake shortcut.

BUT...THERE'S SOMETHING VERY UNUSUAL!!!!
In the task bar there are four items: Windows Explorer (the yellow folder) , the Windows Media Player, the real Firefox shortcut and the fake Firefox shortcut.
I already told you that.

BUT.....In the path
C:\Users\(User-Name)\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
There aren't 4 items...there are FIVE ITEMS. The fifth items is a 'Mozilla Firefox' shortcut always green-and-white! It's not pinned in the task bar! It doesn't show! How's that possible??!!

The two fake shortcuts are bigger than the real ones (over 2 kb!)!

This new fake Firefox shortcut is not called just "Firefox" ....it's called "Mozilla Firefox" and it has the SAME strange path ".....firefox.bat"

Collapse -
I tried to delete the shortcuts

In reply to: Re: Answer

I can delete the shortcuts on the desktop and i can't open the other tabs in the properties windows because it tells me that the path is not valid. Actually it's correct since the bat file does not exist in the target location.

BUT...
I tried also to remove the two fake Firefox shortcuts in the Pinned Items folder and I can remove them but....the Firefox icon on the task bar is sill there. .. it's become just a white rectangular.

I also tried to open the file location of the fake Firefox shortcut and it tells me
The item 'firefox.bat' that this shortcut refers to has been changed or moved so this shortcut will no longer work properly. Do you want to delete it?

I click 'Yes' and it tells me
THE ACTION CAN'T BE COMPLETED BECAUSE THE FILE IS OPEN IN ANOTHER PROGRAM. CLOSE THE PROGRAM AND TRY AGAIN.

- - - - - - -
I can't open the file location. The file is not valid but I can't delete it because it's open in another program. WHAT PROGRAM??!!

I re scanned the PC with all the tools and this time no threat was detected!
So???

Collapse -
rkill report

In reply to: Re: .bat files

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/07/2016 06:57:52 PM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
* HKCU\SOFTWARE\Classes\.exe "@" exists and is set to !
* HKCU\SOFTWARE\Classes\.exe has been deleted!

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* COM+ Event System (EventSystem) is not Running.
Startup Type set to: Automatic

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic (Delayed Start)

* Windows Update (wuauserv) is not Running.
Startup Type set to: Disabled

* TBS [Missing Service]

Searching for Missing Digital Signatures:

* C:\Windows\System32\user32.dll : 1,008,640 : 01/09/2016 00:26 AM : 2c353b6ce0c8d03225caa2af33b68d79 [NoSig]
+-> C:\Windows\SysWOW64\user32.dll : 833,024 : 01/09/2016 00:26 AM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll : 1,008,640 : 07/14/2009 02:41 AM : 72d7b3ea16946e8f0cf7458150031cc6 [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1,008,128 : 11/20/2010 02:27 PM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.19061_none_2b252a2884278aa2\user32.dll : 1,008,640 : 11/10/2015 07:55 PM : 06bf84d26a05d400f6b3fb3d3de0b03a [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23265_none_2bb2ca019d418cef\user32.dll : 1,009,152 : 11/10/2015 07:59 PM : e42cb2576d5c8456c60988b1c908f41a [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll : 833,024 : 07/14/2009 02:11 AM : e8b0ffc209e504cb7e79fc24e6c085f0 [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833,024 : 11/20/2010 01:08 PM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.19061_none_3579d47ab8884c9d\user32.dll : 833,024 : 11/10/2015 07:37 PM : 0a78439765e31510d75c9e2284f3a722 [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23265_none_36077453d1a24eea\user32.dll : 833,024 : 11/10/2015 07:35 PM : d0a3a0dbf77ee35ce97e55de92014e05 [Pos Repl]

Checking HOSTS File:

* No issues found.

Program finished at: 09/07/2016 07:09:40 PM
Execution time: 0 hours(s), 11 minute(s), and 47 seconds(s)

All Answers

Collapse -
Answer
Some reading

In reply to: How do I get rid of this threat on my computer

Collapse -
Answer
Need to do a few things.

In reply to: How do I get rid of this threat on my computer

1. Since you are good at finding the batch file and bad shortcuts. Why not delete them?

2. I take it you are completing all the scans Grif noted.

3. Go ahead and give me a Speccy. Here's how.
https://www.piriform.com/docs/speccy/using-speccy/publishing-a-speccy-profile-to-the-web

4. Consider using a slower support but great at step by step inspection and removal of pests.
Here we pretty much have Grif's fine list. You might want to sign up at Bleepingcomputer, read what they want in your first post, then wait.

Collapse -
Answer
Well typically if a virus software

In reply to: How do I get rid of this threat on my computer

sees threat it blocks it or moves it to quarantine. I would look at your Avast log or quarantine and see if it references the attack.

Collapse -
Avast and Malwarebytes

In reply to: Well typically if a virus software

I don't know whether or not you read the previous posts.....I already did the scans (also with Avast) and some threats were already detected and removed.
Anyway Avast didn't ever detect anything about this 'threat'

Collapse -
Answer
Also I would download

In reply to: How do I get rid of this threat on my computer

and run Anti Malwarebytes.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.