DHL Label Virus/Zip File

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by scottmd1, Oct 24, 2009.

  1. scottmd1

    scottmd1 Private E-2

    Hey -

    My wife opened up a zip file today with what appeared to be an XLS sheet - was an application and it "did something" to the computer. This file came through an email saying it contained a DHL shipping label.

    What did it do to the computer? - I do not know. I searched the net from another computer on our home network and saw it was a "scam" email and a virus or spyware had been loaded.

    I had her unplug it from the net within 5 min. and it has been turned off with the exception to run the removal programs.

    All the programs have been run - all logs are attached - all steps have been followed.

    I await my next marching orders - sir :)
     

    Attached Files:

  2. scottmd1

    scottmd1 Private E-2

    The remaining attachment is attached here.

    Thank you.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Other than what has already been removed, your logs are clean. You just have a few minor things to do.

    First please delete the below copy of MGtools as it does not belong here.
    C:\Documents and Settings\Theresa Laehn Inc\Desktop\MGtools.exe

    Now uninstall: My Way Search Assistant

    Now delete the below files:
    Code:
    "C:\WINDOWS\Temp\"
    gnserv.dat    Oct 23 2009        1024  "gnserv.dat"
    spnserv.dat   Oct 23 2009        1024  "spnserv.dat"
    spserv.dat    Oct 23 2009        1024  "spserv.dat"


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    Last edited: Oct 25, 2009
  4. scottmd1

    scottmd1 Private E-2

    Thank you very much for the help - some feedback:

    1. Delete MGtoos on desktop - done

    2. Remove My Way Search Assistant: I did try to do this during the first step - I get the following error when I do this through add/remove "error loading c:/program files / mywaysa/srchasde/1.bin/desrcas.dll Also - there is no folder in the program files called myway "anything"

    3. The three files have been deleted.

    Before moving on I do have a question - I have an external drive that is "normally" connected to the computer and was connected at the time the zip file was opened and the setup program (with the virus) initiated. That was connected to the computer for the day until I diconected everything - brought it to my office and ran all the tests requested here. I totally forgot about that drive as it is not my computer.

    Should I reconnect that drive to the computer and re-run all the programs - if so - do I post the results here or in a new thread?

    Also the only thing I notice about the computer at the moment is all the icons in the toolbar are wrong. The "show desktop" is a heart - outlook is the IE icon - etc....some of them are other program icons i recognize some are icons I have never seen before.

    Thank you very much.
     
    Last edited: Oct 25, 2009
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you have not already finished my final instructions which would have remove all of the MGtools files, you could try double clicking on C:\MGtools\RemMWS.bat which may or may not finish removing it.

    You should just scan that drive with your antivirus, and with SUPERAntiSpyware and Malwarebytes to see if any of them find anything.

    You should post about this in the Software Forum. You may want to just try disabling the Quick Launch bar and then renable it to see what happens also make sure the Taskbar is not locked. Also try chaning from Small Icons to Large Icons and then back to small.

    Also see this: http://support.microsoft.com/default.aspx?scid=kb;en-us;132668&FR=1&PA=1&SD=HSCH
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds