Trojan & Vundo problems. Fixed?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Creekgeek, Sep 20, 2009.

  1. Creekgeek

    Creekgeek Private E-2

    Hi guys,

    Two weeks ago, I installed a new primary hard and operating system in my HP dv8135nr. I installed my old primary drive into my secondary slot. I mention this because there was an old issue of a possible Vundo infection in the old hard drive(though there were no symptoms).

    My virus protection was AVG & my windows firewall was turned on.

    Yesterday(9-19-09), while uploading some pictures to Photobucket, I kept getting pop-up advertisements. I thought I was either accidentally hitting ad banners or it was a quirk of photobucket that was demanding I look at advertisements. Then, my AVG popped up a window warning of a trojan attack.

    I started going through the motions, starting with a scan with Spybot, which detected several issues, dealt with some of them, but couldn't deal with others. I also downloaded and ran Kaspersky, with similar results. I was getting random, odd popup advertising and I also had problems running some programs, including not being allowed to run Windows Update or the Microsoft Malicious Software utility.

    I eventually got to a point where things were working better.

    I then, (re)stumbled upon MajorGeeks(thankyou, thankyou, thankyou).

    I have gone through the motions described in "READ & RUN ME FIRST, Malware Removal Guide

    I think I completed everything and in order but am unsure as to whether I've solved my problem.

    Here's the log files, etc...
     

    Attached Files:

    Creekgeek, Sep 20, 2009
    #1
  2. Creekgeek

    Creekgeek Private E-2

    and the final log...

    Thanks in advance...
     

    Attached Files:

    Creekgeek, Sep 20, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Other than removing these:
    Code:
    C:\Documents and Settings\Dale\Local Settings\Temp\"
jeteb69.tmp   Sep 20 2009           0  "JETEB69.tmp"
lkdeje~1.pa~  Sep 20 2009      465298  "LkDEjeV3.rar.part"
nso7.tmp      Sep 20 2009           0  "nso7.tmp"
nso7tm~1.exe  Sep  3 2009     5894616  "nso7.tmp.exe
    Your logs are clean. Tell me what issues you are still having.
     
    TimW, Sep 25, 2009
    #3
  4. Creekgeek

    Creekgeek Private E-2

    Thanks Tim,

    I have 2 problems.

    1. I don't know how to remove the lines of code.

    2. I didn't have my computer turned on from mid August, when I started having trouble with it booting, until September 5th, when I installed a new hard drive and operating system. There's a line of code in there dated September 3rd. I'm concerned about how this line of code, with that date, ended up on my computer.

    I purchased a "new" hard drive(it was sealed in an original looking package) from an individual who claimed to have purchased it, then decided not to use it. He claimed to work as a computer technician of some sort. Could he have installed a program on it to harvest my data that would have survived me formatting the drive and installing windows XP? Should I be concerned about code hidden deeper, waiting to surface?

    Thanks again,

    Dale
     
    Creekgeek, Sep 29, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What line of code?

    If the hard drive you bought and installed was formatted by you and you did a fresh installation then I doubt that there is any malware hidden. Some files of course will have old dates....but that is normal. You need to be more specific as to your concern.
     
    TimW, Oct 3, 2009
    #5
  6. Creekgeek

    Creekgeek Private E-2

    Thanks for the feedback on the harddrive.

    In your first reply, you said,

    "<<<Other than removing these:
    <<<Code:

    <<<C:\Documents and Settings\Dale\Local Settings\Temp\"
    <<<jeteb69.tmp Sep 20 2009 0 "JETEB69.tmp"
    <<<lkdeje~1.pa~ Sep 20 2009 465298 "LkDEjeV3.rar.part"
    <<<nso7.tmp Sep 20 2009 0 "nso7.tmp"
    <<<nso7tm~1.exe Sep 3 2009 5894616 "nso7.tmp.exe"

    I don't know how to find or remove these.

    Thanks,

    Dale
     
    Creekgeek, Oct 3, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The use of the code function was to properly format in VBullitin the files I wanted you to find and delete:

    C:\Documents and Settings\Dale\Local Settings\Temp\JETEB69.tmp
    C:\Documents and Settings\Dale\Local Settings\Temp\LkDEjeV3.rar.part
    C:\Documents and Settings\Dale\Local Settings\Temp\nso7.tmp
    C:\Documents and Settings\Dale\Local Settings\Temp\nso7.tmp.exe
     
    TimW, Oct 3, 2009
    #7
  8. Creekgeek

    Creekgeek Private E-2

    I've used the windows search function to find and delete 3 of the 4 files.

    I can not find "C:\Documents and Settings\Dale\Local Settings\Temp\JETEB69.tmp"

    Is it gone or is it hiding? I'm not sure I'm searching for the file in the best way.
     
    Creekgeek, Oct 3, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The file may have been removed earlier.....what issues are you still having?
     
    TimW, Oct 8, 2009
    #9
  10. Creekgeek

    Creekgeek Private E-2

    I've not been using this computer, due to the problems we've been chasing around.

    After your last reply, I started using it again and an AVG window popped up saying I had:

    Trojan Horse Generic14.BENP
    Trojan Horse Generic14.BEKK
    Trojan Horse Generic14.BEKK

    I started chasing those around and a scan showed a virus called Win32/Criptor.

    I thought I had it all taken care of again and the AVG window popped up again showing:

    Trojan Horse Generic14.BENP
    Trojan Horse Generic14.BEKK
    Trojan Horse Generic14.BEKK

    It seemed to allow me to delete these.

    I went through the whole schpeel again of the "READ & RUN ME FIRST. Malware Removal Guide".

    I've been using the computer now longer than I did before the first warnings popped up with no indications of a problem.

    So far, so good?

    Thanks guys,

    Dale
     
    Creekgeek, Oct 9, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The names that AVG or other AV programs call things is irrelevant. Knowing the exact path to the malware is what is needed.

    However, if you are able to remove those items with AVG and are not having any other symptoms, then
    it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Oct 13, 2009
    #11
  12. Creekgeek

    Creekgeek Private E-2

    Hi guys and thanks again for the help.

    After going through the last set of instructions, my computer started picking up some odd behaviors. Mostly, it was very slow to respond to key strokes and the cursor became a bit erratic. Multiple scans failed to pick up any malware.

    I decided that it was time for a re-installation of my operating system. That's when it got increasingly weird.

    I start going through the motions and about the 3rd step, I'm supposed to press "esc" to install a new copy of the operating system, instead of repairing it. When I hit esc, my computer would immediately power off. I did this 3 times in a row with the same results. I then booted the computer in regular mode to determine if it was overheating(it didn't seem hot, but...) or whatever. It did not shut off.

    I then, instead of trying to reload the operating system, attempted to do a "repair" of the operating system using the recovery disc. It started going through the motions, then, after a couple of minutes, the computer abruptly shut down again.

    At this point, when I booted the computer, it had changed a bunch of the settings & was giving me a message that I was missing ATA... blah... blah... blah...

    I then attempted to reformat the disc. It got about 20% through the format, then shut down. I reinserted the operating system disc and it finally allowed me to reformat, then install the operating system.

    While I haven't had the time yet to give it a good shake down and test it by use, it appears to be working properly for now.

    I wonder... was their a virus/trojan/worm/gremlin that was trying to keep me from re-installing my operating system? Could it have survived?

    After having read Microsolft's "Help:I Got Hacked. Now What Do I Do?":cry, I've been tossing and turning at night, wondering if I should remove all existing computers and computer controlled devices, from my house, garage, driveway, etc...

    Thanks again for the help.
     
    Creekgeek, Oct 18, 2009
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    From what you stated, it just sounds as though you were not doing the re-installation properly. You said that the reformat got stuck and you had to put the disc back in.....you never should have removed it in the first place.

    I suggest that you post in the software forum for specific instructions on doing a clean installation for future use.
     
    TimW, Oct 21, 2009
    #13
  14. Creekgeek

    Creekgeek Private E-2

    I think you missed something.

    To be clear...

    I was attempting to re-install my operating system using the recovery disc. That was not working, as described in my previous post. I removed the recovery disc and attempted to format the hard drive without the recovery disc. That attempt got me through 20% of the format, then my computer shut down again. It was only then that re-inserting the recovery disc and going through the motions worked.

    One definition of insanity is doing the same thing over and over and expecting different results. I was doing the same thing over and over and getting the same results. That's why I did something different and it apparently worked.

    The re-installation of my operating system went well. I've been using the computer on a limited basis and have not encountered any problems(I love using a fresh system).

    I am curious if malware was indeed attempting to keep my from wiping and reloading my operating system and/or why my computer was powering down so abruptly under those conditions and those conditions only.

    Thanks again.

    Dale
     
    Creekgeek, Oct 21, 2009
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Frankly, I don't know. It can be possible for malware to infect your bios...but rather unlikely. Doing a clean install will remove any malware that is left on your system. You may wish to ask about this problem in the software forum.

    ( I have had to remove the install disc at times, but usually because it can't copy files, and that often indicates a dirty or scratched disc. )
     
    TimW, Oct 21, 2009
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds