UGH... Blonde chick needs help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by TheVicChick, Mar 8, 2008.

  1. TheVicChick

    TheVicChick Private E-2

    OK, so, I have been having this crazy email message telling me that my spam limit is reached so I called my ISP and they told me that I have been spamming and it is probably due to a virus. I do regular maintenance on my computer including avast, trendmicro housecall, spybot search & destroy etc... but this one got through. So this time I went to trendmicro and it took some convincing but I finally got my browser to do a scan and this is what it has come up with...

    CRYP_TAP-2 12 infections
    when you click the plus sign it tells me...
    "This is the trend micro heuristic detection for suspicious files that are compressed and encrypted and that manifest similar behaviour and characteristics as the following malware:

    VUNDO"

    and

    CRYP_XED-3 1 infections
    also, when I click the plus sign it tells me...
    "This is the trend micro heuristic detection for suspicious files that are compressed and encrypted and that manifest similar behaviour and characteristics as the following malware:

    TROJ_POLYCRYPT
    TROJ_BAGLE
    WORM_SDBOT"

    Now, I am able to click on the polycrypt and bagle names and get information but I can't for the sdbot one. Anyway, here we go... as far as I can tell the bagle trojan may be the email problem and it looks like it came down in my email to begin with as a picture or something. I am not in the habit of opening email from people I don't know so I am guessing I got an email from one of my friends who thinks it is great to send out the chain letters... Yippee for me :confused

    Now, I have started to go through this list of things to do here READ & RUN ME FIRST instructions and I am well into it but I thought I would give a quick overview while I am waiting for the trend micro house call scan to finish. Now, if anyone is reading this right now, should I delete or fix everything I can with the trend micro scan?

    UGH... thank you so much for your help...

    Vic
     
  2. TheVicChick

    TheVicChick Private E-2

    OK, well anyway, I am using the trend micro cleaning, I know it isn't goin to do much but I will start at the top of the list of what to do first and let you know how it goes...
     
  3. TheVicChick

    TheVicChick Private E-2

    OK, so very first, here we go... I am doing the vundo scan thing... And please, let me know if I shouldn't be telling you exactly what steps I am taking... I just want to make sure that I am doing things exactly as I should so that I don't have to either spend a mint at the local computer store and get them to do it or end up having to format and would it work anyway? If you get what I mean...

    Anyway... I am running the vundo scan thing which I found HERE
     
  4. TheVicChick

    TheVicChick Private E-2

    OK, so I have run the Vundofix (and it seems to have worked YAY!)
    I have searched my add remove programs and seem to have found nothing there
    I have re-installed Sun Java
    I am on to the next step which would be the msconfig thing, and this is where I get a little nervous because I don't believe I belong snooping around in these types of files.. but here goes... rolleyes
     
  5. TheVicChick

    TheVicChick Private E-2

    Hmmm... it was already on normal but I restarted anyway...

    and CRAP! I don't know what to do so I will have to wait and see what someone who knows something says...

    These are the files in the chest in my Avast...

    kernel32.dll
    winsock.dll
    wsock32.dll

    I don't know that I should be deleting them should I?
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  7. TheVicChick

    TheVicChick Private E-2

    Right... gotcha... but this is what I have been doing... I deleted them anyway... I am in a bad state right now and I guess I will have to do this blind folded... thanks anyway
     
  8. TheVicChick

    TheVicChick Private E-2

    OK, so I think this is what I need to upload... I don't have a clue how to tell if the bad files are gone but I guess I will do another trend micro scan and see what they tell me...

    There is SuperAntiSpyware log, combo fix log and MGlogs.zip. I hope I have done this right...

    thanks again
     

    Attached Files:

  9. TheVicChick

    TheVicChick Private E-2

    OK, now just one more question... that program was supposed to change my clock back to normal... and it hasn't... does anyone know how to do this?
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
  11. TheVicChick

    TheVicChick Private E-2

    Thanks so much for the help... I hope this works... I did another scan on trend micro last night and there was still 1 trojan that it found... I hope this will help to fix it...

    I will post the other logs when I am finished! :)
     
  12. TheVicChick

    TheVicChick Private E-2

    OK... so I haven't done another trend micro scan but here are the logs I got tonight after doing everything in TimW's post. THANK YOU SO MUCH! Even if it isn't working, I thank you for taking the time... :)
     

    Attached Files:

  13. TheVicChick

    TheVicChick Private E-2

    OK, well, I just did another trend micro scan and got this...

    TROJ_SRIZBI.E

    So I did a search in metacrawler for this and this is the only thing that came up and of course, I don't understand... *sigh* help?? again??

    http://doctus.org/trend-19-2-2008-imza-t25701.html?

    Hopefully someone can help?
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok..let's try this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
  15. TheVicChick

    TheVicChick Private E-2

    OK, well, I took a day off from this yesterday... it is all starting to get overwhelming, but I did check with my ISP and they said they haven't gotten any mass emailings from me lately so hopefully that is remedied. However lets see if this is done? THANK YOU again for all your help! :)

    Vic
     

    Attached Files:

  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet....the only thing you need to do is to clean out these two folders:
    C:\WINDOWS\Temp\
    C:\Documents and Settings\Vicky Nash\Local Settings\temp\

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds