Persistent Trojans, Run & Read didn't help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Dougstar, Aug 10, 2008.

  1. Dougstar

    Dougstar Private E-2

    Picked up various trojans Friday morning while reading news online (nothing out of ordinary.)
    McAfee started blocking trojans.
    Annoying voice said something about winning free computer.
    Locked down firewall in McAfee.
    Emptied quarantine folder in McAfee.
    Performed Ad-Aware scan.
    Emptied temp internet files.
    Ran all of Major Geeks programs in the Run & Read to the letter.
    I did unlock the firewall to get all the updates for the various programs.
    Thought this was strange: IE icon with the word "woo" appeared on desktop after running Combofix. I deleted it but it didn't show up in the recycle bin.
    After running MGtools, I unlocked the firewall.
    McAfee started warning about registry changes "C:\WINDOWS\SYSTEM32\atsxyzd.sys" was the file trying to make the changes. I blocked the registry change with McAfee 16 times and meanwhile, locked down the firewall.
    It seemed to stop on it's own.
    I unlocked the firewall and opened Outlook.
    Received mail and while reading, more obnoxious voices (different than before) started going. I had speakers turned down pretty low so I only caught the last sound but didn't catch the words.
    All the processes that the scans fixed have returned in task manager.
    Seems like it was a waste of several days.
    I'm attaching all the log files.
    Please help, if possible.
     

    Attached Files:

    Dougstar, Aug 10, 2008
    #1
  2. Dougstar

    Dougstar Private E-2

    This is the MGtools log.
     

    Attached Files:

    Dougstar, Aug 10, 2008
    #2
  3. Dougstar

    Dougstar Private E-2

    Also, these are some of the files I'm now fairly certain are part of the issue:

    Routing.exe
    New2.exe
    MACIDWE.exe
    afinder.exe
    wserving.exe
    maomaochong.exe
    TDXDOWKC.EXE

    They have appeared, been caught, quarantined, deleted and reappeared regularly throughout my clean-up attempts.
     
    Dougstar, Aug 10, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Most of it appears to be gone...but lets make sure.

    If you haven't already, please disable the Guest account in User accounts.

    Please download and install:
    Java Runtime 6

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Drivers::
nobicyt
AFINDING
MACIDWE
PERFS
ROUTING
SEICTRL
TDXDOWKC
WSERVING
sobicyt

File::
C:\WINDOWS\SYSTEM\blank.htm
C:\WINDOWS\system32\sobicyt.exe
C:\WINDOWS\system32\nobicyt.exe
C:\WINDOWS\system32\AFINDING.exe
C:\WINDOWS\system32\MACIDWE.exe
C:\WINDOWS\system32\PERFS.exe
C:\WINDOWS\system32\ROUTING.exe
C:\WINDOWS\system32\SEICTRL.exe
C:\WINDOWS\system32\TDXDOWKC.exe
C:\WINDOWS\system32\WSERVING.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\%username%\Local Settings\Temp

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.
     
    TimW, Aug 11, 2008
    #4
  5. Dougstar

    Dougstar Private E-2

    Thank you, Tim.

    I followed your instructions to the letter.

    One observation during the process:

    An IE shaped icon appeared on my desktop with the name, "woo". Is this okay?

    Otherwise, nothing glitchy happened during the scans.

    I've attached the two logs.

    Thanks again for the help.
     

    Attached Files:

    Dougstar, Aug 11, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a clue as to that icon...right click / properties and tell me what you find.

    Also:

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.
     
    TimW, Aug 11, 2008
    #6
  7. Dougstar

    Dougstar Private E-2

    Tim,

    Thanks again for the attention.

    When I right-click on the "woo" icon and get properties, it actually opens up IE properties on what appear to be my actual IE settings. In the start/all programs menu, I have Internet Explorer and Internet Explorer (2). Like I mentioned before, this appeared after the Combofix scan. Any guesses?

    I ran the ATF-Cleaner as directed.

    Right now the system is connected (wireless) but I have the McAfee firewall locked down. There doesn't seem to be anything out of sorts running in the task manager.

    I haven't dared to run IE yet. What do you think?

    Thanks again for the support.
     
    Dougstar, Aug 11, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go ahead and run IE....not IE(2) ...if IE runs, then delete the IE(2) --> woo.

    Tell me if you have problems before we do the final cleanup.
     
    TimW, Aug 11, 2008
    #8
  9. Dougstar

    Dougstar Private E-2

    Tim,

    You're help is greatly appreciated.

    IE is running. Major Geeks, Google, etc.
    No voices and no McAfee reactions.
    Outlook open and receiving mail without incident.

    I deleted the IE "woo" icon and Internet (2). No reaction.

    So far, so good.

    Does this mean we're ready for "final clean-up"?

    Thanks again for this continued support.
     
    Dougstar, Aug 11, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I missed a file that we need to remove:

    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    We will do the final cleanup next post. :)
     
    Last edited: Aug 12, 2008
    TimW, Aug 11, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds