Please help..Virus Trying to Send Spam and PopUps

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by msniecey, Feb 9, 2008.

  1. msniecey

    msniecey Private E-2

    I downloaded a game on 2/6 on my laptop. I scanned the attachment that was downloaded before installing it and it came out clean but I guess that didn't catch everything.

    Almost immediately after installing the game my Symantac firewall started going off saying that the email ??? couldn't be sent. The virus was trying to send 6 emails. I also noticed some ads popping up anytime I open internet explorer.

    Prior to finding this thread I ran my anti-virus (Symantac) and it found a trojan adclicker virus. I also ran Spybot which I already had installed. I deleted everything that was found. Afer doing this on yesterday and trying to connect to the internet I did not system trying to send email on each attempt but when going to a website a blank Interne Exploer Brower would open up and my system would totally lock up. I could see my desktop background but I could not see the toolbar, startmenu, or desktop icons. I can Ctrl + Alt + Del and end all open tasks but my system remained locked up. I had to shut down by holding down the power button. This happened several times.

    Today, I followed all of the directions in the Read Me First posting. Upon completing that, I rebooted my pc, reenabled my internet connection and tired to connect to a website. My Symantac Firewall went off again and the virus is still trying to send 6 emails. My Symantac logs shows dozens of smtp, 1041, 1100, 1139, etc type connections.

    I have attached all of the required files from the read me first instructions. AVG did not find anything. Any assistance you can provide would be greatly appreciated.
     

    Attached Files:

    msniecey, Feb 9, 2008
    #1
  2. msniecey

    msniecey Private E-2

    Just a little update. I discovered that my firewall was temporary blocking my router for 30 minute periods. That's why it appeared that the virus was only sending a few emails. I unblocked it to see what would happend and the virus flooded my system with attempts to send spam mail. I was able to succesfully brower to a website through the email spam. Again, any assistance you can provide will be greatly appreciated.
     
    msniecey, Feb 9, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    What game and did you uninstall it? If not then uninstall it now.

    Was it any of the below recent items?
    Code:
    2008-02-06 21:49 <DIR> d-------- C:\Program Files\Zuma Deluxe
2008-02-05 23:21 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-02-05 22:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
    What is the below folder for that recently showed up?
    Code:
    2008-02-08 22:00 --------- d-----w C:\Program Files\WST

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O8 - Extra context menu item: &Search - ?p=ZUxdm486YYUS

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    File::
C:\WINDOWS\system32\apiuser32.dll
C:\WINDOWS\system32\Copy of winiap32.dll
C:\WINDOWS\system32\jnhjkfrn
C:\WINDOWS\popcinfo.dat
DirLook::
C:\Program Files\WST
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!

    Note you should also update to the current version of FireFox. You are using Mozilla Firefox (2.0.0.6) which is six versions out of date. You can get the new version here: Mozilla Firefox
     
    chaslang, Feb 10, 2008
    #3
  4. msniecey

    msniecey Private E-2

    Yes it was a version of the zuma game. I don't think it totally installed before I quite it. The execuable started extracting a bunch of files and added some to he desktop. I stopped it half way through and started deleting stuff. I did unintall the game and everything else in the add/remove programs that I didn't need per the start here instructions.
     
    msniecey, Feb 10, 2008
    #4
  5. msniecey

    msniecey Private E-2

    Sorry I didn't see the last part. WST is an application that I need for work. It only runs every so often. That application has been there forever...When I view the properties on he folder it has a 2005 creation date.
     
    msniecey, Feb 10, 2008
    #5
  6. msniecey

    msniecey Private E-2

    Thank you!!! Thank you!!!! Thank you!!!!!

    I've done everything you noted below and everything appears to be working perfectly. No more spam, no pop-ups, and I am able to browse the web and my pc isn't locking up anymore. I also checked my Symantec Firewall logs and there is no extra traffic. I can't thank you enough for the help and the quick response time. I hope I never need your services again but if I do I will know where to come. I have attached the requested log files and I will update my Mozilla Firefox.
     

    Attached Files:

    msniecey, Feb 10, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN
      • Now type combofix /u in the runbox and click OK.
      • Note: The space between the X and the /U, it must be there.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
    9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Feb 12, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds