had rootkit, vundo,etc.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by catlady13, Feb 17, 2008.

  1. catlady13

    catlady13 Private E-2

    HI, I am trying to help a friend from work with her computer. I have done everything suggested in your forum to clean this thing to the best of my ability. I THINK it is clean now but I've been working on it for many days now , had it here about two weeks ago and thought it was clean then but either it wasn't or they got something new then. If someone could peek and see if they think I have everything or can suggest anything else to try I would muchly appreciate it. She uses this computer for banking and business stuff so it really needs to be clean. I shall attach the txt files required. Thank you ever so much. It DID have vundo ,win32.tiny.abk, ieupdr2, rootkit unclassifed/polymorph-A, win32.Trojandownloader.Agent, win32.TrojanProxy.Xorpix, Generic.PolyCryptSeli.100, Pakes.333, Downloader.Agent.2069 and a few others. I worry a lot about the rootkits.
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please tell me what this is:

    C:\Documents and Settings\All Users\Application Data\fssg ?

    Also...you have no Java installed ...please download and install:
    Java Runtime 6

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt


    Now run CCleaner and tell me how things are running.
     
  3. catlady13

    catlady13 Private E-2

    HI, and thank you EVER so much for your help. It is greatly appreciated. I don't know what the file C:\Documents and Settings\All Users\Application Data\fssg is but it wasn't there when I looked. After posting I ran a couple of other programs through that I had read about on this site. One was IEDef.exe and the other was SDfix and I think one of them got rid of that. I think they may also have ridded the computer of the other files you mentioned on avenger but I ran it anyway. The computer seems ever so much better though the C drive still has the big red X BUT it isn't rebooting and running AVG free antispyware and/or Super antispyware no longer come up with anything. I will attach the avenger log file. If you have any way to get rid of the big red X on C:drive I would love it but if not I THINK everything is gone.
    Again my greatest thanks.
    Linda
    PS I did download and install java as per your request.
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes....there were a few things removed since Avenger couldn't find them ...but I would like you to run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

    Let's see if there are still remnants.
     
  5. catlady13

    catlady13 Private E-2

    Hi, here is the new mgtools.zip log as per your request and I have my fingers and toes crossed and thank you again for your help.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Your logs look clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  7. catlady13

    catlady13 Private E-2

    HI , thank you very much. Things seem clean and to be running well now. One quick question please, was the big red X next to Local DisK C: indicative of the past infections? Is it something to worry about? I really appreciate your time and help and shall now turn off the restore point, reboot and turn it back on.
    Thanks again,
    Linda
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You still have a red X next to the C drive ? Is that drive a shared drive?
     
  9. catlady13

    catlady13 Private E-2

    HI , not it is not a shared drive. I have already given the computer back though as they were chomping at the bit to get it. Unfortunately now the sound isn't working. I talked them through removing it through the control panel and rebooting but the sound device didn't come back which seems odd to me. I can get the thing back again though if it is necessary .
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You should check in device manager ...the sound drivers may have been corrupted and need to be uninstalled and reinstalled.
     
  11. catlady13

    catlady13 Private E-2

    Yes I figured and I tried to talk them through that first over the phone but the lady has such a strong Russian accent that I am not absolutely positive what she deinstalled or reinstalled. She was reading me the list and most of the time I had no idea what she was saying. I really should get it back and look at it myself. Just curious if you have any idea about the big red X. If the computer is clean I really don't care about it . I would only worry if it is indicative of still having an infestation. Thanks again so much for your help.
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We have a few threads that this is starting to crop up on and we are researching it.
     
  13. catlady13

    catlady13 Private E-2

    Hi , thanks for letting me know that. If you find out any more about this is it possible to let me know? I try to help out my friends a lot with their computers ( though my preference is hardware) with removing viruses and such , just helping in general. I hate viruses and like to do my best to help everyone I know to keep their computers as safe as possible. As I have said I really do appreciate the help you have given me. I could only go so far on my own.
    thanks again,
    Linda
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did this just occur now or was it there since you first started this thread? Can you attach a readable snapshot of this so we can better understand what it looks like? Use a tool like below which is great for capture just rectangular areas. It is the second of four programs listed on the page.


    FastStone Capture 6.0

    After attaching this snapshot, apply the below registry patch and tell me if it fixes the red x.

    Try this:

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds