I recently received a .zip file via facebook message from a friend along with the text “lol”. I (incredibly stupidly) unzipped it and nothing happened.
A few days later I noticed my computer had seriously slowed down, especially when streaming videos.
I performed an Avast quickscan which identified the portrt230.zip file as a trojan and I deleted it.
The next day I realised my computer was still slow so I performed a boot scan and found four more copies of the file. I deleted them all but my computer still hasn’t improved.
Does anyone have any idea what I should do? I really don’t want to wipe my computer and re-install everything. I have a major deadline coming up.

Hi there and welcome to the forum,

follow this guide and attach the logs from OTL, Malwarebytes and aswMBR (Not Win 8 and newer):

http://forum.avast.com/index.php?topic=53253.0

When done a malware expert will help you to get rid of this.

Monitoring…

First MBAM’s logreport and OTL will be enough for start.
This new variant is known and it uses a basic loading point (hklm\ … \run) keys. MBAM should target this, if not, we will tell OTL to kill it.

I recently received a .zip file via facebook message from a friend along with the text "lol". I (incredibly stupidly) unzipped it and nothing happened.

www.virustotal.com / www.metascan-online.com / www.jotti.org if you get a message that say the file has been scanned before, click new scan button for latest result

you got the latest facebook fun…

Malware Analysis of Malicious Facebook Message
http://wiki.secarmour.com/2014/05/malware-analysis-of-malicious-facebook.html

Hi guys,
Sorry I was AFK for the last three days, it was unexpected and unavoidable. Thank you so much for all the feed-back.
I have downloaded all three programmes and run them. My computer seems to be running much faster already but I have attached the log files just in case.
Thanks again.

Hi lazyninja,

This mashine is still infected. We better deploy ComboFix.

1. Please download ComboFix by sUBs (
   http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
   ) from here and save it to your Desktop.
   [i]If you are unsure how ComboFix works, read this guide.

2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
   If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

3. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

• ComboFix will scan your computer in stages, total of 50 stages.
  Do not mouse-click around while ComboFix is running.
• If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
  Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
  [/i]

4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
   => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

Thanks for the update Magna86. I ran ComboFix. The log files are attached.

No it is not…

Ahhh… You are correct sir.
Now they are attached.

Open notepad and copy/paste the text present inside the code box below:

KillAll::
ClearJavaCache::

DirLook::
c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"=-

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Ok, here is the new log.

Download and run this CFScript by drag and drop into ComboFix icon. When tool finish his work, post here fresh created ComboFix.txt log.

Then re-run OTL, just hit QuickScan button and post me the OTL.txt as well.

Ok, I did as instructed. Here are the new logs.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:FILES
C:\Users\Dónal\AppData\Roaming\Mozilla\Firefox\Profiles\un5u8qe8.default\extensions\4sharedCopyLinks.xpi
C:\Windows\SysNative\*.tmp
:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKCU..\Run: [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA] 1 File not found
@Alternate Data Stream - 4 bytes -> C:\temp:pid2
@Alternate Data Stream - 4 bytes -> C:\temp:pid1
@Alternate Data Stream - 23 bytes -> C:\temp:srv
:Commands
[Reboot]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

Then post me the fresh OTL scan (QuickScan button will do)

Here are the logs from the fix and the quick scan. Two files named desktop.ini appeared on my desktop after the fix.

That’s OK, ignore desktop’s files. Tell me how is the computer behavior now?

It’s great. It has been much better ever since I did the initial scans. I thought it was fixed but you said it was still infected. It seems to be running smoothly.
It was very clear that it was infected before that. It kept freezing.
Do you think it’s clean now?

Yes, you are malware free. It is time to remove used tools.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

OK, thanks a million for all your help. I really appreciate it.