Completed Read and Run, still having problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by helmcrush, Mar 21, 2008.

  1. helmcrush

    helmcrush Private E-2

    Early this morning my girlfriend decided to download and run some random popup file which ended up being Viewpoint and a ton of trojans. Several popups warn me that my system has been compromised by a trojan filename wml.exe. AVG finds files named TMP0.exe through TMP3.exe that it lists as trojan horse dropper.agent.hhk and another named utwxgjgj.exe is trojan horse SHeur.AZZX. I've done all the readme instructions and the popups have slowed(think only once since mgtools) but I ran AVG Test again to be sure, and they're still there.

    Not sure if combofix completed properly. When I tried to run it, it said I could not rename it cf, so I renamed it pd.exe and changed the cf to pd as well in the run box. Seemed like everything came out ok, but my clock is still in the 24 hour style. Any help would be appreciated, I'm in way over my head here.

    Oh yeah, I run Win 2k pro.
     

    Attached Files:

    helmcrush, Mar 21, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Mar 21, 2008
    #2
  3. helmcrush

    helmcrush Private E-2

    I haven't noticed anything out of the ordinary since following your instructions. I kept my machine powered off and physically disconnected the internet cable all night though, so I really have only had it running for 15 minutes or so. Thank you very much for the help.
     

    Attached Files:

    helmcrush, Mar 21, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just a few things to fix:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Mar 21, 2008
    #4
  5. helmcrush

    helmcrush Private E-2

    Encountered a few pop ups after my last post. One is a "System Integrity Scan Wizard" which I've Xed away everytime. Other options are to click next or cancel. The other warning telling me about wml.exe came up once. And a yellow warning sign with an exclamation point popped up in the system tray bottom right telling me I was in danger as well. Thanks again for the help.
     

    Attached Files:

    helmcrush, Mar 21, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Well, unless they are buried in your jpeg files...I'm not seeing it. Let's do this:

    Go to Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Mar 21, 2008
    #6
  7. helmcrush

    helmcrush Private E-2

    Have not shown any signs of infection since my last post. Haven't followed the instructions in your most recent post yet. I ran a test in AVG(after getting most recent updates again just to be sure) and the tmp0.exe-tmp3.exe files no longer appear in the test. The only thing that comes up is:

    C:\WINNT\system32\drivers\etc\hosts

    That is the object, and it says Changed under result and status. Not sure what that is, or if I need to worry. Let me know if that's a problem, and if I should go ahead and complete the instructions in your last post as well. Once again, the help is much much appreciated.
     
    helmcrush, Mar 21, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That's not a problem.....but running the Bit scan would be insurance that it is all clean.
     
    TimW, Mar 22, 2008
    #8
  9. helmcrush

    helmcrush Private E-2

    BitDefender says no problems found, but I've included the log just in case.
     

    Attached Files:

    helmcrush, Mar 22, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good then....If you are not having any other malware problems, it is time to do our final steps:

    1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    2.
    * Click START then RUN
    * Now type combofix /u in the runbox and click OK.
    * Note: The space between the X and the /U, it must be there.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    5. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    6. After doing the above, you should work thru the below link:
    How to Protect yourself from malware!
     
    TimW, Mar 22, 2008
    #10
  11. helmcrush

    helmcrush Private E-2

    Says it "cannot find the file 'combofix....". I installed it on my desktop, but had to rename it something random(pd.exe) instead of cf.exe as instructed because it said I couldn't rename it cf.exe. Also never changed my clock back from the 24 hour setup after it completed. I don't know if that has anything to do with it.
     
    helmcrush, Mar 22, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, I recall that you did rename it to pf.exe ....just delete it off the desktop. You ShowNewFiles log will show you where it is.

    As to your clock...Go to your control panel / regional settings / customize / time and change the time settings back to hh;mm;ss.
     
    TimW, Mar 23, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds