Need help with "Antivirus soft trojan".

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by KevinR225, Mar 2, 2010.

  1. KevinR225

    KevinR225 Private E-2

    Did a search and found several post on this, and all started with the same recommendations, so I went ahead and ran the various programs and am attaching the logs from them. Couldn't get RootRepeal ot run. It just sticks at initializing. In addition to the others, I ran NAV, which was the last to show anything. Since then, I have rerun all of them with 0 coming back.
    Hope this means I got rid of the problem, but will have to wait and see after you look.

    By the way, to get in and start attacking this thing, I found if I opened task manager right after windows opened, and before it could load all the normal background apps, I could get in. Found an app under main user name ending in AV and shut it down. Didn't get rid of it, but at least I could run stuff without being blocked or shut out.

    By the way, what am I supposed to include from MGtools, it seems to have much of what is already here?

    Thanks for the help.

    Kevin R
     
    Last edited by a moderator: Mar 3, 2010
    KevinR225, Mar 2, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I have removed your inline logs.

    Please read this:
    How to attach items to your post.

    Now re-attach your logs and include these:
    SAS
    MBAM
    RootRepeal
    ComboFix
    C:\MGLogs.zip

    If you can produce them all.
     
    TimW, Mar 3, 2010
    #2
  3. KevinR225

    KevinR225 Private E-2

    Here are the files.
    I can't seem to get RootRepeal to run. It keeps sticking at "initializing".
    Also, the MGTools was run from the desktop. I didn't see the part about running it from the C:\ untill after running all of these.

    Kevin R
     

    Attached Files:

    KevinR225, Mar 3, 2010
    #3
  4. KevinR225

    KevinR225 Private E-2

    Also ran NAV after running the requested programs, and re ran Malwarebytes again full instead of quick.
    They each showed something. Couldn't load the lgs to this post, but will send them as well if you want.
    I guess I need to start a different thread for that?

    Thanks,


    Kevin R
     
    KevinR225, Mar 3, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please keep all replies for this system in this thread. Yes, I would like to see those logs from a full scan.

    Please also rename ComboFix :
    c:\documents and settings\Kevin\Desktop\CFix.exe --> c:\documents and settings\Kevin\Desktop\ComboFix.exe

    Do you know what these are:
    c:\documents and settings\Kevin\Local Settings\Application Data\ufnxld
    c:\documents and settings\Kevin\Application Data\.oit
    c:\documents and settings\Kevin\Application Data\systemfl.$dk

    If not, delete them.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
XHJEXRLO

File::
c:\windows\system32\xhjexrlo.mvz

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\XHJEXRLO]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Mar 4, 2010
    #5
  6. KevinR225

    KevinR225 Private E-2

    Attached are the requested files.

    Didn't recognise any of the files mentioned so deleted them as requested.

    NAV and MBAM were the last 2 scans to report anything.
    I have since run SuperAntispyware, NAV, MBAM, Spybot S&D full scan
    with each showing 0.

    Ran the cfscript on combofix as requested. It ran through shutdown, but then sat on the screen saying "windows is shutting down" for almost 15 minutes. Hit the soft reboot on the tower and it restarted and seemed to run through fine. A splash screen popped up for "Outside In" during it, was that part of it? Have not seen that before.

    What is the file noted in the script, and can you tell me what type of harm the things that showed up would do? i.e. are they just a pain, or are they trying to grab persona info etc?

    I hope I didn't make things worse, but while waiting for your reply, after getting 6 nothing found notices from 5 different programs, I logged on and changed some of my banking and email passwords. Now with the stuff you had me do, I hope there wasn't something else, and my changing passwords etc actually gave them to someone.

    As far as how it's running, it's hard to tell if there's any diffference.
    Now if you are comparing to before the first post, when "antispyware soft trojan" was blocking me from everything, and loading stuff left and right, then it seems back to normal.

    Again, thanks for all the help, it's really appreciated.
     

    Attached Files:

    KevinR225, Mar 4, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. I do not know the nature of the malware, as to what all it was meant to do, but it is always a good idea to use a different computer to change your passwords!! Fortunately, you are clean so it would not matter at this point. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Mar 5, 2010
    #7
  8. KevinR225

    KevinR225 Private E-2

    Thanks, will do that.:major
    Any idea what the "xhjexrlo.mvz" was noted in the text file you had me run through ComboFix?:confused

    Kevin R
     
    KevinR225, Mar 5, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a clue. :)
     
    TimW, Mar 6, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds