Backdoor Trojans, brower redirects, advertisement popups, etc :(

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jthm, Jul 19, 2009.

  1. jthm

    jthm Private E-2

    It first started with backdoor Trojans and advertisement popups. Now my browser redirects. I use AVG and it periodically finds and removes Trojans, but they reappear every couple hours. The only program I could get to work is MGTools, all the others are being blocked by the Trojans and I cant get them to run and rootrepeal has reached max bandwidth. . PLEASE HELP!
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to major Geeks!

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {3BB81EB7-CF3F-4EAB-9EB1-E0BD1968713F} - (no file)
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file)
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\cbf\LOCALS~1\Temp\CF.tmp.exe
    O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
    O20 - Winlogon Notify: efcAqoNd - efcAqoNd.dll (file missing)

    After clicking Fix, exit HJT.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now see if you can run Malwarebytes, SUPERAntiSpyware and ComboFix as requested in the READ & RUN ME.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Then attach the below logs:
    • C:\avenger.txt
    • the Malwarebytes, SUPERAntiSpyware and ComboFix logs if they ran.
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  3. jthm

    jthm Private E-2

    Thank you for your response. I am still having problems. I get no response from Combofix or malwarebytes and superantispyware crashes with the error SUPERAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience.

    I have attached the avenger and mglogs.
     

    Attached Files:

  4. jthm

    jthm Private E-2

    Thank you.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    RootRepeal has not reached max bandwidth. The site you are trying to download from has. Just use one of the alternate links given further down on the website. See the below instructions:

    Running RootRepeal


    Please run it and attach the requested log.
     
  6. jthm

    jthm Private E-2

    Here is the rootrepeal log, thanks again!
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please delete the below two files if they still exist:
    C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
    C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job


    Please try rebooting into safe boot mode and shutdown AVG8 and then try running MBAM and ComboFix. Tell me exactly what happens.

    SUPERAntispyware does not appear to even be installed according to your last logs. Are you saying this error occurs when you try to install it? Did you download the installation program directly to your PC as instructed or are your trying to run it from the download link?

    What malware problems are you still having?
     
  8. jthm

    jthm Private E-2

    It was a long week, but I got around to it. All antimalware programs are currently running and scanning. I have attached my logs for combofix, superantispyware and malwarebytes. I have not had any symptoms since my last post until recently when windows started detecting trojans. My browser is no longer redirecting and my internet connection no longer seems to be hijacked. Thank you.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    You attached the log from Malwarebytes twice just with different names. You need to attach the log from SUPERAntiSpyware just to be safe; however, you appear to be in good shape now.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds