TR/TRASH.gen, pup, trojan - help please

bayrun · Sep 18, 2013

Hi,

I am new here. My computer screens are flashing and pop up windows. I intitally ran combofix and malwarebytes to get rid and it did some, but some are still on.

I am requesting your help.

I followed your Malware Removal guide and have attached files after running the software for review.

Thanks for your time and consideration.

Kestrel13! · Sep 19, 2013

Please re run Hitman and have it delete any Potential Unwanted Programs.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

Run the new MGTools.exe and attach the new MGlogs.zip

bayrun · Sep 19, 2013

Thank-you Kestrel.

I have completed your requests.

Attaching the files for you.

Hope the newer MGlog re-wrote the old one, didn't see that as it happened very quickly.

bayrun · Sep 19, 2013

I thought I was free from the Malware, but screens are flashing when I try to open Mozilla. Icons on desktop flash and Mozilla opens to a search page not browser and flashes. It also opens additional ones as well.

Wanted to let you know update. Thank-you

Kestrel13! · Sep 19, 2013

We are going to be uninstalling your old version of FireFox and installing the new version. So do the below to save bookmarks:

Run FireFox and click Bookmarks.

Then select Organize Bootmarks.

Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need to exit FireFox now and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.
After reboot, delete the below folders:

C:\Program Files\Mozilla Firefox

C:\documents and settings\UserAccount\Application Data\Mozilla

where UserAccount is the actual user account name being used.

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

bayrun · Sep 19, 2013

Hi Kestrel,

I think I have success!!!

My computer now boots up on it's own without me have to go to F2 and manually help it along. I don't see any flashing windows.

And even my computer letters are capitalizing. They wouldn't before.

I need to read on this site for optimum safety and security. Any quick suggestions. I am going to download a firewall and be more careful with downloading. I guess I should always go to Manufacturer's site.

Thank-you for your sacrifice of time with me. I appreciate you.

Michelle :wave

PS Below is log for you, again; thank-you!

PSS - Should I keep the tools on my computer? Definitely will bookmark MG's

Kestrel13! · Sep 19, 2013

Almost finished.

Are you able to delete these?

C:\WINDOWS\system32\appmgmt

C:\WINDOWS\system32\ld605~1

If so... do this next:

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

bayrun · Sep 19, 2013

A could delete the first one: appmgmt

But, could not find the second one anywhere: Id605~1

Thanks

Kestrel13! · Sep 19, 2013

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the area. Do not include the word Code.
Code:
:Files
C:\WINDOWS\system32\appmgmt
C:\WINDOWS\system32\ld605~1

:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

bayrun · Sep 19, 2013

I am not able to run the program in Administrator as it says it is the wrong password.

bayrun · Sep 19, 2013

In my user accounts, I have computer Administrator Password protected account (the one I login to), an other account (which says it is also computer Administrator), and a greyed out guest account.

Looks like a problem to me.

Kestrel13! · Sep 19, 2013

Just double click OTM to run it please.

bayrun · Sep 19, 2013

The hour glass is still working on the OTM. It has been 4 minutes and nothing is happening. cancel and retry?

bayrun · Sep 19, 2013

I was able to get OTM to run, here are results:

All processes killed
========== FILES ==========
File/Folder C:\WINDOWS\system32\appmgmt not found.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
File move failed. C:\WINDOWS\system32\܁ںL scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
Unable to create HKLM\Software\OldTimer Tools\OTM key.
->Temporary Internet Files folder emptied: 67 bytes
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
->Flash cache emptied: 57472 bytes

User: LocalService

User: NetworkService

User: User_1

User: User_2

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
Unable to create HKLM\Software\OldTimer Tools\OTM key.
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Unable to create HKLM\Software\OldTimer Tools\OTM key.
Windows Temp folder emptied: 20779859 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 20.00 mb

OTM by OldTimer - Version 3.1.21.0 log created on 09192013_201128

bayrun · Sep 19, 2013

I was able to delete manually: C:\WINDOWS\system32\appmgmt as you earlier requested.

bayrun · Sep 19, 2013

I removed mozilla as it makes everything jumpy...........not sure how long i will be able to use this computer.............getting out of control. other browsers don't work, but go to search windows page and jumpy.

bayrun · Sep 19, 2013

a little more under control once Mozilla is off again.

Kestrel13! · Sep 20, 2013

MGTools did not run to completion! Ensure you are running as admin, and that antivirus is not interfering.

Run it again please and attach the new MGlogs.zip.

bayrun · Sep 20, 2013

I am running only way possible. If I choose run as admin, it says my password is incorrect. So it is running as user1.

Any suggestions appreciated. Thanks for your diligence on this. Be back in 1.5 hours, then soon leaving for weekend.

Kestrel13! · Sep 20, 2013

That's better. I got a full set this time around. reviewing them now and hopefully we can get this licked before you go away.

Kestrel13! · Sep 20, 2013

Download The Avenger by Swandog469, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\WINDOWS\system32\ld605~1
C:\WINDOWS\system32\??L?
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

bayrun · Sep 22, 2013

Greetings Kestrel,

I ran Avenger and after computer rebooted my Avira popped up with this message: Access to file 'C:cleanup.bat' containing the virus or unwanted program: BAT/Delplug.A was blocked.

I quarantined it.

I then ran the MGTool and my anti-virus Avira also popped up during running of MGTool with: Host file blocked

Just in case, here is the Avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\ld605~1" deleted successfully.

Error: could not open file "C:\WINDOWS\system32\??L?"
Deletion of file "C:\WINDOWS\system32\??L?" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
--> an object cannot have this name

Completed script processing.

*******************
Just wanted to pass on this additional info.

Again, thanks for your time and expertise on this. I appreciate it!

BTW, I love to wear hoodies also. Especially in cool weather.

Kestrel13! · Sep 23, 2013

Hoodies are great this time of year, I agree.

Listen, your antivirus is hindering us. Please temporarily disable or uninstall it for the duration you run my fix. You need to do everything in my post #21 again, including downloading a fresh copy of avenger and letting it overwrite the old.

bayrun · Sep 23, 2013

Hi Kestrel,

I uninstalled my Avira. Downloaded the Avenger again and ran.

I also ran the MGTools.

Here is the MGTools attachment.

Thanks Again!

bayrun · Sep 23, 2013

Hi again Kestrel,

I am not sure I overwrote Avenger. I don't know how to do this.

I went to the link for Avenger and re-downloaded, but not sure it actually overwrote the file.

I clicked on the link in zip-file and ran it.

I might need instructions on how to do this properly.

Thanks

bayrun · Sep 23, 2013

I repeated the #21 post for cleaning with Avenger, but used IE to download the file instead. Then ran MGTools.

Hope this is helpful.

Thanks.

Kestrel13! · Sep 23, 2013

Excellent. Ready for final steps?

bayrun · Sep 23, 2013

yes!

Kestrel13! · Sep 23, 2013

Ok.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:

Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore

What we want you to do is to first disable System Restore to flush restore points some of which could be infected.

Then we want you to Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

bayrun · Sep 23, 2013

Hi Kestrel,

I am still having problems. I re-installed Mozilla and all hell broke loose, the jumping search pages when I clicked on google's browsers. The other syptom of this is my 'c' key on my keyboard won't capitalize.

I uninstalled Mozilla again and deleted the few mozilla files left on my computer.

I started to re-run the READ ME FIRST steps; and then I saw that I should not do this but just report back.

Apologies for not just getting back to you.

I do have some reports I ran from the READ ME FIRST Steps if you would like to see them.

Kestrel13! · Sep 24, 2013

Hi there. Sorry to hear you're having troubles again. This thread is just going to become overloaded if we continue here. Attach those logs to a fresh thread in this forum, and myself, Chas or TimW will get to you.

bayrun · Sep 24, 2013

How do I start a new thread? Thanks

Kestrel13! · Sep 24, 2013

Same way you started this one. Begin a new thread here.

TR/TRASH.gen, pup, trojan - help please

bayrun Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Attached Files:

bayrun Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

bayrun Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

bayrun Private E-2

Attached Files:

bayrun Private E-2

bayrun Private E-2

bayrun Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Attached Files:

bayrun Private E-2

bayrun Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

bayrun Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Useful Searches