TrojanDownloader.xs/Antispyware-reviews.biz/PC-Antispyware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tvm507, Apr 2, 2008.

  1. tvm507

    tvm507 Private E-2

    Hello! Similar to other posters, I was surfing the internet (March 30) and ended up with a virus/malware that gave me numerous fake popups such as System Integrity Scan Wizard or a Security System Protection Control Panel. I also got the dreaded yellow triangle with an exclamation point on my taskbar stating my PC was infected. All of these popus directed me to a web page telling me to purchase PC-Antispyware or PC-Cleaner.

    I have followed the READ & RUN ME FIRST, and it seems to have taken care of the popus and dreaded triangle. :) However, I would feel much better if you could please take a look at my log files to see if I need to take further action. Looking at solutions for other posters I likely still have some files that need to be deleted. (Note, I know Step 1 of RRMF says to empty my recycle bin and my logs probably show I have one folder in there. I did originally empty it, but during Step 3 I started getting a notice from my antivirus program that there was a suspicious .exe in that folder trying to access the internet. I disabled the program in Task Manager and put it in my recycle bin for now).

    One more note - after I installed SUPERAntispware and rebooted, I now get an RegSvr 32 error message on startup saying "Load Library ("C:\Documents and Settings\All Users\Application Data\etgvajkp.dll") failed - The specified module could not be found".

    Thank you so much in advance!! This is my first post so I hope that I followed all of the pre-post instructions correctly.
     

    Attached Files:

    tvm507, Apr 2, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Do you use the MusicMatch Jukebox Software that probably came preinstalled on your Dell PC/

    Uninstall the below software:
    My Way Search Assistant <-- should have been uninstalled in step 0 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [etgvajkp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\etgvajkp.dll"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [tbjfkeyz] C:\WINDOWS\system32\xixgvsjq.exe
    O4 - HKLM\..\Policies\Explorer\Run: [zeTINEKiCx] C:\Documents and Settings\All Users\Application Data\tudelifc\nqjafklu.exe
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!

    DO NOT powerdown or reboot your PC after attaching the logs. If you are still infected the reboot could cause files to change and the infection to spread. Wait for our next response
     
    chaslang, Apr 4, 2008
    #2
  3. tvm507

    tvm507 Private E-2

    chaslang,
    Thank you for your help so far! The My Way Search Assistant did not show up in my control panel add/remove programs, but after looking at advice in other threads I found it in the CCleaner/Tools and uninstalled it there. Hopefully it uninstalled okay.

    Every once in a while I use MusicMatch Jukebox, but let me know if this program is something I should get rid of.

    After following your instructions, attached are my new logs. I look forward to further instructions (hopefully things are headed in the right direction!). The good news is I have not seen any popups or annoying yellow triangles lately.
     

    Attached Files:

    Last edited by a moderator: Apr 4, 2008
    tvm507, Apr 4, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No you don't need to remove it if you use it.

    Did you put the below line into your hosts file?
    O1 - Hosts: 206.144.9.169 HLPCEMS

    If yes why? That IP Address is for the below company.

    Code:
    [B]IP Address[/B]   : 206.144.9.169 [ 206.144.9.169 ]
[B]ISP          :[/B] Onvoy
[B]Organization :[/B] Otter Tail Power Company
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/us.gif[/IMG] US, United States
[B]City         :[/B] Fergus Falls, MN 56537

    Please delete the below folder:
    C:\Documents and Settings\All Users\Application Data\tudelifc


    Other than the above your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

    1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    2. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    3. If we had you run Avenger, you can delete all files related to Avenger now.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Apr 5, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds