Yes, I got Dropper.Generic_c.MMI too...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MightyMidgit, Jul 24, 2012.

  1. MightyMidgit

    MightyMidgit Private E-2

    Ok, I recieved this trojan from who knows where and am looking for an angel to help me out of this hole. I've done a little research to remove it and learned that each computer has a unique repair, but the beginning is the same. I'm using Windows7 x64.This is what I've found so far.

    download Farbar Recovery Scan Tool x64 and save it to a flash drive. (DONE)

    Plug the flash-drive into the infected PC. (DONE)

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    •Restart the computer. (DONE)

    •As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. (DONE)

    This is where I hit the wall.
    •Use the arrow keys to select the Repair your computer menu item. (Repair Your Computer does not show!)

    This is what my Boot options look like:
    Please select boot device
    -P6: DWC WD101FALS-0045A0
    -SanDisk U3 Crizer Micro 4.05
    -P4: Optiarc DVD RW AD-72605
    -SanDisk U3 Crizer Micro 4.05
    -UEFI: SanDisk U3 Crizer Micro 4.05
    -Enter Setup (Searched in here but found no Repair option, though I might be looking in the wrong place...)

    •Select US as the keyboard language settings, and then click Next.

    •Select the operating system you want to repair, and then click Next.

    •Select your user account an click Next.


    To enter System Recovery Options by using Windows installation disc: (Not in possesion of the disk so I'll skip this.)

    On the System Recovery Options menu you will get the following options:Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt

    •Select Command Prompt

    •In the command window type in notepad and press Enter.

    •The notepad opens. Under File menu select Open.

    •Select "Computer" and find your flash drive letter and close the notepad.

    •In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.

    •The tool will start to run.

    •When the tool opens click Yes to disclaimer.


    •First Press the Scan button.

    •It will make a log (FRST.txt)


    •Second Type the following in the edit box after "Search:". services.exe

    •Click the Search button

    •It will make a log (Search.txt)


    I then post Both the FRST.txt report and the Search.txt into my reply for someone to help.

    --------

    So, basically, I cant access the computer recovery option and I don't have the windows startup disk... I would appreciate any help with this problem. Thanks in advance!
     
    Last edited: Jul 24, 2012
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  3. MightyMidgit

    MightyMidgit Private E-2

    Sorry, can't believe I missed that.

    I ran the programs in the Read & Run Me First post. Problem is that I am still having problems. The same Dropper.Generic_c.MMI is on my computer. AVG is finding it but none of the pograms could do anything about it.

    As for what I was doing when I got it, I think it might have come from a Skyrim Mod that I downloaded from SkyrimNexus. (and they say they check for security...) Anyway, I have the 4 requested logs as well as a few notes from when I was running the programs.

    1.When trying to change my UAC settings, I set it to never and restarted my computer. When I checked again, it was at always (2 levels higher than i had it before). I had to set it again a second time and restart again in order for it to stay.

    2. I deactivated my AVG in case there would be any problems with it blocking the programs. Thinking back on it, knowing if would have or not then deactivating it might have been helpful in knowing what this Trojan does.

    3. I ran into a few things with MG tools that came up. Don't know if they are normal or not.
    -Error message SteelWerX WhoAmI application has stopped responding. I closed out of that and the program continued.
    -Error message nslookup.exe The ordinal 1108 could not be located in the dynamic link library WSOCK32.dll. Closed the message and program continued.
    -Trend Micro HijackThis End Use License Agreement prompted me to accept their user licence agreement. I have no idea what this program is. I accepted and MG Tools continued.

    4.In the end, the main problem that led me to getting help, the Dropper.Generic Trojan, remained.

    Here are my logs. Thanks again for any and all help!
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have a Zero Access infection. Please download ComboFix to your desktop and run it. Do not do anything while it runs. Attach the log when it is finished.
     
  5. MightyMidgit

    MightyMidgit Private E-2

    Thanks. Here's the log for ComboFix.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  7. MightyMidgit

    MightyMidgit Private E-2

    Thanks for all the help so far. AVG is no longer giving the warning for the trojan I had, and things seem to be running smoothly now as far as I can tell.

    I ran the GetLogs.bat file and it said SteelWerX WhoAmI application has stopped running. I have no idea what that was. I closed out of it and the program continued. I never got prompted to acctept the terms and conditions for HijackThis probably because when I ran MGTools following the Read & Run Me First steps I was prompted to accept it and did.

    You asked me to post MGlogs.zip, but I don't know where it created the folder. I still have the MGlogs.zip that I attached in my second post on my desktop. The forum will not let me attach it again. If GetLogs.bat overrode it and that is a new folder, how can I post it for you? If it's not the right one, where can I find it?
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It should be right where I told you it is. ;)
     
  9. MightyMidgit

    MightyMidgit Private E-2

    Oh, lol. Here it is.
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. :)

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
  11. MightyMidgit

    MightyMidgit Private E-2

    Hey, thanks for everything! I'll keep an eye out to make sure there are no problems but my computer runs great. You guys are more professional than people I've paid for in the past!
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. And you are most welcome. Safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds