• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Zefarch Trojan on PC running Internet Security 2011

Hi, I was wondering if anyone could help me. I am running a Samsung Netbook which became infected with Zefarch. The first symptom was Norton informing of numerous attempts to attack my system. I also found I was redirected to sites I did not select when I did Google searches.  I did a full system scan which detected Zefarch and said it had dealt with it. When I then rebooted I got the error message 'Error Loading edaqiqamalanunev.dll file. The specified module could not be found.'

I then occasionally would get the message "Generic host process for WIN32 services has encountered a problem' and i would lose my Internet Connection. I also noticed that even when I did have an Internet Connection I was unable to access Windows update as it said it was unable to connect. I then tried to download Windows Defender but I could not download updates for it. I tried to do a Windows System Restore but was unable to. Then I read that  the virus attacks Windows Systems Restore so I swtiched Systems Restore off which deleted the Restore Points.

I then used Norton Power Eraser which said it found a few files during the Local Search but when the Network search was done it then said 'No Known Threat' I did however decide to delete the ones the Local Search identified, but this made no difference.

I then downloaded Malwarebytes which found 3 infected files incloded one Rootkit and it then deleted these. However, I was still unable to access Windows update and my computer was still being attacked every 30 seconds or so.

As my Netbook is only used for surfing and holds no personal data, I thought I would wipe it and reinstall the OS, but the Samsung is not shipped with the OS. Samsung told me I could however use their System Restore to wipe the C drive completely and revert back to the factory presets. So I did that and that seemed to work as I lost all the software I had downloaded since I got the Netbook. When I booted up the error message 'Error Loading edaqiqamalanunev.dll file' did not happen and I was hopeful it had been fixed. However, now I still cannot run Windows Update, my netbook is still being constantly attacked and I am sometimes redirected to the wrong websites when i do Google searches.

I ran Norton Full scan in Safe mode but it found nothing wrong.

The Norton consultant I spoke to ask me to create a Bootable disk which I did and ran and which found no problems. The Consultant also asked me to do another ordinary Full Scan which I did and again no problems. At this point she told me there was nothing else to try but I could pay $99.99 to have someone wirelessly connect to my Netbook and fix the problem. Not having much confidence at all in Norton at this point, I decided not to go down that route.

Can anyone help me get rid of the symptoms of Zefarch on my Netbook? Norton tells me everything is fine, but it is not. It is a shame Samsung don't ship the OS disk with the Netbook or I would wipe the C drive myself just to make sure it is done completely.

Any help would be really appreciated. I am also now very concernec about my main PC which does hold lots of personal information. Although it is fully backed up, I now have no faith that Norton will protect it.

Replies

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Hi, I was wondering if anyone could help me. I am running a Samsung Netbook which became infected with Zefarch. The first symptom was Norton informing of numerous attempts to attack my system. I also found I was redirected to sites I did not select when I did Google searches.  I did a full system scan which detected Zefarch and said it had dealt with it. When I then rebooted I got the error message 'Error Loading edaqiqamalanunev.dll file. The specified module could not be found.'

I then occasionally would get the message "Generic host process for WIN32 services has encountered a problem' and i would lose my Internet Connection. I also noticed that even when I did have an Internet Connection I was unable to access Windows update as it said it was unable to connect. I then tried to download Windows Defender but I could not download updates for it. I tried to do a Windows System Restore but was unable to. Then I read that  the virus attacks Windows Systems Restore so I swtiched Systems Restore off which deleted the Restore Points.

I then used Norton Power Eraser which said it found a few files during the Local Search but when the Network search was done it then said 'No Known Threat' I did however decide to delete the ones the Local Search identified, but this made no difference.

I then downloaded Malwarebytes which found 3 infected files incloded one Rootkit and it then deleted these. However, I was still unable to access Windows update and my computer was still being attacked every 30 seconds or so.

As my Netbook is only used for surfing and holds no personal data, I thought I would wipe it and reinstall the OS, but the Samsung is not shipped with the OS. Samsung told me I could however use their System Restore to wipe the C drive completely and revert back to the factory presets. So I did that and that seemed to work as I lost all the software I had downloaded since I got the Netbook. When I booted up the error message 'Error Loading edaqiqamalanunev.dll file' did not happen and I was hopeful it had been fixed. However, now I still cannot run Windows Update, my netbook is still being constantly attacked and I am sometimes redirected to the wrong websites when i do Google searches.

I ran Norton Full scan in Safe mode but it found nothing wrong.

The Norton consultant I spoke to ask me to create a Bootable disk which I did and ran and which found no problems. The Consultant also asked me to do another ordinary Full Scan which I did and again no problems. At this point she told me there was nothing else to try but I could pay $99.99 to have someone wirelessly connect to my Netbook and fix the problem. Not having much confidence at all in Norton at this point, I decided not to go down that route.

Can anyone help me get rid of the symptoms of Zefarch on my Netbook? Norton tells me everything is fine, but it is not. It is a shame Samsung don't ship the OS disk with the Netbook or I would wipe the C drive myself just to make sure it is done completely.

Any help would be really appreciated. I am also now very concernec about my main PC which does hold lots of personal information. Although it is fully backed up, I now have no faith that Norton will protect it.

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Try this: http://www.symantec.com/security_response/writeup.jsp?docid=2009-012801-2706-99&tabid=3

Make sure you read all instructions carefully. Also they have a removal tool you can download to assist in removing the malware. 

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Some rootkits survive formatting and remain a problem.  Please visit one of these free malware removal forums to get some assistance.  They are all very competent in dealing with these sorts of infections.  Bleeping has the most experience, but may have a longer wait time.

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

I would also contact Samsumg and explain your situation and see if they will ship you a CD/DVD to rebuild your hard drive from scratch. It would have to include both the OS partition and the partition probably hidden that supports the system restore feature.

Your probably going to have to then run a hard drive "wipe" bootable CD that will perform multiple passes on your hard drive writing random patterns. I know Samsung's HUTIL disk utility does have a wipe feature but I don't recall if it can be configured to perform mutiple passes.

Once you have completed the hard drive wipe procedure, then you can safely reload the OS and restore partitons.

Unfortuately, you did not take a hard dive image backup of your entire hard drive that would have allowed you to totally reload the original or replacement hard drive for instances like this.  

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Zefarch can be downloaded as part of Cycbot variants, which can download and install anything and everything under the sun from FakeAV's (Rogues) Rookits, Trojans, Bootkits, Viruses, Worms, you name it.

Combo infections from one file to start with are enjoyable to play with, figureing which symptom as system change belongs to what.

Quads

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

The Symantec writeup is two years old and outdated. 

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Thanks everyone for your quick replies. I spoke ot Samsung who have said I can buy XP OS disk from a company 

recommended by them.

Thanks delphinium those websites look very useful. It seems amazing that some of these rootkits can survive formatting. I am about to take a fullt system image of my main desktop and store it externally hoping that would at least provide a stable point to return to. But from what you have said delphinium, if a rootkit can survive formatting, is there any way to ensure you get rid of it? Does this mean that even if I did have a fully clean hard drive image backup, that might not gurantee to solve the problem? I did read that symantec writeup  to remove the virus and have to admit the number of disclaimers at the start did make me worry about how useful the document would be.

Thanks for the link Donzheim, but I have already followed all the instructions in that link to no avail. You are right, I am kicking myself for not taking a hard drive image backup. I won't make that mistake again! Does wiping the drive using multiple passes as you suggested ensure the virus is removed?

Thanks Quads, the virus came onto the Netbook from a site my daughter visited, she thinks it was probably a song lyric website.

To be honest I am considering ditching the little Netbook. To buy a new OS disk does seem a bit of a waste of money since the Netbook was very cheap to begin with and we have been toying with the idea of buying a laptop with a bigger screen as my daughters' find the screen on the Netbook is too small . So what I am considering doing is  buying a new cheap Laptop with Windows 7 and taking a Hard Disk Image Backup to an external source before I use it. Then hopefully I should be OK in the future, providing providing I can find a way of re-formatting the drive  to completely get rid of any viruses.

I am more concerned now about any future attacks to my desktop as my confidence in Norton has been completely shaken. Can I just ask someone to verify what I am planning for my Desktop is a good idea?

I currenty run XP with everything on the C: drive

I plan to buy Windows 7 full version OS disk.

I will then partition my disk to have personal info in one partition (D: say) (after backing up all my personal data first) and the system programs on the other in C:

I will then install Windows 7 choosing to re-format my C drive as I do so.

I will then do an Hard Drive Image Backup to an external source.

I will then install the other software I have. (thankfully I have Microsoft Office, Norton etc on disk)

I will then regularly do backups of my personal data and do regular System images. Hopefully then if anything goes wrong, I can just restore previous system image to get rid of any viruses.

Does that sound like a good plan? My only worry about this is how I clean my C: drive (and the D: partition) if I do get a virus on it if re-formatting doesn't guarantee that.

Thanks for your advice. Much appreciated.

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Hence, the term polymorphic virus. By the time a signature based AV finds it, it's to late to save your PC since the "bad guy" has let in all his nasty friends and the patient (PC) is terminally ill.

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

The Symantec writeup is two years old and outdated. 

Probably because Symantec AV's are total ineffective against this virus from what I have read. Disgusting .................

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Does wiping the drive using multiple passes as you suggested ensure the virus is removed?

You want a "wipe" disk utility that offers the DoD (Dept. of Defense) wipe algorithm. If you can find an old Norton Ghost disk, like prior to ver. 9.0, it has a utility called GDISK that offers the DoD wipe option.

 

Note: Running a multiple pass disk wipe could days even on a smaller hard drive like that present in a NetBook.

 

More info on GDISK here. I would recommend the 7 passes option: http://www.techrepublic.com/forum/discussions/102-244679-2362842

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

FYI - I have tried to use Darik's Boot & Nuke multiple times from a bootable CD and never could get it to run right.

Also I didn't mention it previously but the old DOS based Ghost installation CD is bootable and that is how your run GDISK from it.

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

rolopolo:

The forums that I gave you links for do a lot of these kinds of removals.  Polymorphics can also be removed from your machine by competant virologists.  Quads has played with several.  It is considerably cheaper and certainly safer for your data than banging away at it on your own with unfamiliar products.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

PC virologist was a name as a bit of a laugh after a person back here is NZ gave that, I don't know if that is an actual name given to some one who specialises in Malware removal and playing with new malware to understand it.

Maybe ask SSR team is they call themselves PC Virologists hahahaha.

Quads

Kudos0

Re: Zefarch Trojan on PC running Internet Security 2011

Okay, let's go back to Quadinator.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain

This thread is closed from further comment. Please visit the forum to start a new thread.