Virus?

[Argan]

Hello,

I went to a tumblr site to look at a picture and then Commodo alerted me about a threat. Commodo tried to remove it but then said it could not remove all of it. Commodo asked if I needed help, I selected no That was at 10:00PM last night.. Anyway, I ran Super Anti Spyware and Malwarebytes--both found nothing. But I kept getting alerts from Commodo. Then later AvG had an alert of infection as a Trojan horse BackDoor.Hupigon5.CJWJ in a Wild Tangent games folder at around 12 a.m. this morning. When I investigated into what alerted Commodo I found 2 specific iles that I could not delete in username\appdata\local\temp\1ijfuweuf.exe--Commodo found this suspicicious and a similar file in the same directory - 2jfuweif.exe. I cannot delete both. Commodo also found rugu.exe in appdata\roaming\fuupu\rugu.exe. suspicious and I cannot delete that either. I think all these files were accidentally downloaded when I clicked the site. I have done the scans--MB found nothing. But Rogue Killer found some keys---I did not delete anything from them. I have attached my scans.

[TimW]

Download OTL to your desktop.

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:killallprocesses
:files
C:\Users\Priscilla\AppData\Local\Temp\1jfuweif.exe
C:\Users\Priscilla\AppData\Local\Temp\2jfuweif.exe
C:\Users\Priscilla\AppData\Local\Temp\78E.tmp
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Argan]

Thank you for your quick reply!! Upon reboot, I stilll see the file 1jfuweif.exe in the same spot. Also the folder Fuupu which is under C:\Users\Username\AppData\Roaming\ containing the suspicious file rugu.exe is still there. Other than that, I have not got any Commodo alerts thus far. I have attached both logs.

EDITED TO ADD: I just realised I ran OTL as well as MG Logs with Commodo on. Should I re-do both and disable Commodo?

[Argan]

Quote:

Originally Posted by Argan

Thank you for your quick reply!! Upon reboot, I stilll see the file 1jfuweif.exe in the same spot. Also the folder Fuupu which is under C:\Users\Username\AppData\Roaming\ containing the suspicious file rugu.exe is still there. Other than that, I have not got any Commodo alerts thus far. I have attached both logs.

EDITED TO ADD: I just realised I ran OTL as well as MG Logs with Commodo on. Should I re-do both and disable Commodo?

EDITED AGAIN TO ADD: When I go into the view defense events in Commodo it blocks MG Tools as well as OTL when they target 1jfuweif.exe.

[TimW]

Please download ComboFix to your desktop. Disable your AV software before we run it.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

ClearJavaCache::
KILLALL::
File::
C:\Users\Priscilla\AppData\Local\Temp\1jfuweif.exe
C:\Users\Username\AppData\Roaming\rugu.exe
Folder::
C:\Users\Priscilla\AppData\Local\Temp\ichcop

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip
• C:\ComboFix.txt

Make sure you tell me how things are working now!

[Argan]

Hi there,

I have run ComboFix as instructed and turned off all protection software. It attempted to place a system restore point and started scanning. It has only completed stage 4 and it seems to have frozen. Do I close the window and re-do the entire process?

[Argan]

Hi there,

I have run ComboFix as instructed and turned off all protection software. It attempted to place a system restore point and started scanning. It has only completed stage 6 but it's been a hour. How long does it take to finish?

[Argan]

Ok, the Combo Fix scan was completed. It rebooted my pc and began preparing the log report. I tried to close down Commodo as well as AVG for it to create the log but my pc froze. I waited for an hour before forcing it to restart. I found the combo fix report in C:ComboFix, I dont know if it is complete. I looked to see if the two files- rugu.exe and 1jfuweif.exe were still there and AVG alerted me thus when I clicked the folder of the latter. It also tried to remove it but could not do so. This is the alert:-

Trojan horse PSW.Generic10.IIU

OBJECT OF THREAT IS MISSING. OBJECT DOES NOT EXIST OR IS INACCESIBLE


So, I guess I have a trojan? I ran the GetBat file. I have attached both to this post. What do I do next? I am now anxious to get this file off my pc!

[TimW]

Are you using Comodo with AV protection? If so, you need to uninstall AVG. Let's try OTL again.

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:killallprocesses
:files
C:\Users\Priscilla\AppData\Roaming\Fuupu 
C:\Users\Priscilla\AppData\Roaming\Fuupu\rugu.exe 
C:\Users\Priscilla\AppData\Local\Temp\1jfuweif.exe
C:\Users\Priscilla\AppData\Local\Temp\253096.od
C:\Users\Priscilla\AppData\Local\Temp\ichcop
:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Argan]

It seemed OTL did more as I turned off all protection software. By the way, I have Commodo Firewall. I'm not sure if it is also AV. Anyway, when my pc rebooted the 1jfuweif.exe is still there. I went and checked Commodo and in the Defense events , it looked like it blocked OTL from targetting that file. The thing is it was disabled and exited out of berfore OTL. Upon reboot though, it launched but was still disabled. I am confused about this, how could it block OTL if it was disabled? Do I have to do something so that it doesn't automatically launch upon the pc restarting? Anyway, I have attached the required logs.

ETA: I also noticed that when I check Commodo Defense events, AVG will automatically detect the Trojan. Something that also puzzles me.

[TimW]

Since Comodo is blocking our work, please uninstall it. Then run CCleaner to make sure all traces are gone. Then re-run my last fix.

[Argan]

Hello,

I checked and it looks like the malignant files are gone!!! I can't believe Commodo was preventing a complete fix! I have attached the logs, thanks!!!

[TimW]

Tell me what malware issues you are still having, if any.

[Argan]

At the present time, I don't seem to be having any malware issues.

[TimW]

Good to know.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
7. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!
   
   

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

[Argan]

Thanks so much!!!!! Can I re-install Commodo Firewall?

[TimW]

Yes, you can. Safe surfing and you are most welcome.