Trojan.Pandex and who knows what else

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by viajera, Jun 13, 2008.

  1. viajera

    viajera Private E-2

    On Monday evening*, Symantec told me that Trojan.Pandex had been detected, but that I was secure. Shortly afterward, I began getting the "email rejected, looks like spam" type pop-ups from Symantec. I was unable to connect to the internet for more than 1 or 2 minutes without this happening. (*I first got that alert on Monday, but I believe the actual "in" occurred about a week earlier when Sun Java gave me some unusual errors, and Chkdsk ran on Sunday when I shut down and started up my computer.)

    I have completed all steps in Read & Run Me First. I also uninstalled Norton and purchased Spyware Doctor and began using Online Armor firewall . I completed everything by Wednesday evening. On Thursday, Qwest blocked my internet access, advising me my account had been identified as a source of spam and that I was affected by Open Proxy. I used McAfee Stinger per the recommendation. Nothing was found. I have not gotten errors from the email-checker in Spyware Doctor. I was able to regain my web access by reporting that I had cleared the virus, but I'm quite sure it's not gone.

    This morning upon startup Online Armor advised me that a process was trying to run. The process contained many special characters which I can't reproduce, but in the middle I can make out zxfeAR6.jiOUTLOOKFiles>
    I blocked it, but don't know what's happening.

    Spyware Doctor tells me I have Application.Nir.Cmd and that it may or may not be desireable?

    I don't want to be spamming the world nor be permanently blacklisted. Help! Attaching logs per instructions, two with this message and two with the following. Thanks for sharing the wisdom.
     

    Attached Files:

    viajera, Jun 13, 2008
    #1
  2. viajera

    viajera Private E-2

    Attaching the other two logs. Thanks again.
     

    Attached Files:

    viajera, Jun 13, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 15, 2008
    #3
  4. viajera

    viajera Private E-2

    The requested files are attached. Thank you so much for your time and help. I can't tell you how things are working yet because I just finished running everything. I had to struggle to get ComboFix to work - I ended up uninstalling Online Armor completely as I couldn't seem to get it to not interfere during the restart. I'll reinstall it. Thanks again for reviewing all of this. I'll wait to hear what the next steps should be!

    Oh: Yes, I did get a success message for the fixme.reg addition.
     

    Attached Files:

    viajera, Jun 15, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    10. Go to add/remove programs and uninstall HijackThis.
    11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    12. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    13. After doing the above, you should work thru the below link:
     
    chaslang, Jun 15, 2008
    #5
  6. viajera

    viajera Private E-2

    Thanks again. I have done everything you listed, except on Step 12, it says I should work through the below link:

    But there is no link. :) Help?
     
    viajera, Jun 17, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 17, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds