Possible Infection.

Discussion in 'Malware Help (A Specialist Will Reply)' started by Vedren, Aug 16, 2008.

  1. Vedren

    Vedren Private E-2

    Symptoms-- Floating Pop up ads in the center of explorer screen (usually circuit city). A small IE window can be seen opening in the bottom right of the screen for a moment before ads appear. Downloaded and installed Norton 360 after the ads began minimising online game applications (nothing like playing counter strike to have it minimise to see a circuit city ad on your desktop) 360 found "trojan.adclicker" which it said it fixed.

    It did disable the ads but IE windos kept going inactive (the blue bar at the top goes dim) and on one occasion My IE window closed and left the small IE window in the bottom right of the screen which was blank. After this happened I reopned IE to find the 360 security bar (just below the IE tabs) had disappeared.

    So I ran through your cleaning steps, and I believe I got it fixed up, logs are attached so you can check over my work and see if I missed anything.

    EDIT---It seems my IE windows are still going inactive after this.
     

    Attached Files:

    Vedren, Aug 16, 2008
    #1
  2. Vedren

    Vedren Private E-2

    It appears that a task that was removed in these scans keeps coming back it is I3k1tvHs.exe
     
    Vedren, Aug 16, 2008
    #2
  3. Vedren

    Vedren Private E-2

    Combofix log...
     

    Attached Files:

    Vedren, Aug 16, 2008
    #3
  4. Vedren

    Vedren Private E-2

    This is getting very annoying I scanned again and Malwarebytes found Trojan.agent now I haven't been surfing all day except here and playing a game. So I let Malware fix the problem but I'm still getting these processes in task manager made up of jumbled letters and numbers and when they are present about once every 3 mins sometimes less a fullscreen application such as a game will minimise. If I kill the process tree everything runs fine for 5-10 minutes then whatever i was doing minimises and if I look another nonsense entry has appeared in the task manager. It seems this entry always has the same name I3k1tvHs.exe but if i do a search for it nothing is found.
     
    Vedren, Aug 16, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read this: Don't Bump! It Only Hurts You!!!

    The more you make unnecessary posts, the longer it takes for us to give you an answer for the reasons stated.


    Now we need to use ComboFix to remove some malware.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 17, 2008
    #5
  6. Vedren

    Vedren Private E-2

    Ok followed your instructions and everything seemed to work, got the confirmation/success message when adding fixme.reg to the registery. Logs are attached.

    On a seperate note I think I effectively disabled the part of the virus that was causing the minimization/ deactiveization of windows before hand by finding and deleting l3k1tvHs.exe.a_a, l3k1tvHs.exe(longnumber).pf. I alos noticed a second weird task that would show up for only a few seconds when the windows would minimize QVuLwk0e.exe, so I deleted it and QVULWK0E.EXE-10110FA4.pf, (all after turning off system restore) then ran all the AV's from your cleaning section again and rebooted and repeated until they all came up not detecting anything. I then went out and bought System Mechanic that came with Iolo's Anti Virus which found 3 enteries the others didn't (how do you rate this av against others ?) I then went on about my buisness with no more problems.
     

    Attached Files:

    Vedren, Aug 18, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not get all of Symantec uninstalled before installing this. You need to run the below, reboot, and then run it one more time:

    Norton Removal Tool (SymNRT)

    Below average.

    You should have followed my instructions and nothing else. You have additional Task file that need to be deleted now since you did not run my steps first. You need to delete the below files:
    Code:
    "C:\WINDOWS\Tasks\"
at49.job      Aug 17 2008         350  "At49.job"
at50.job      Aug 17 2008         350  "At50.job"
at51.job      Aug 17 2008         350  "At51.job"
at52.job      Aug 17 2008         350  "At52.job"
at53.job      Aug 17 2008         350  "At53.job"
at54.job      Aug 17 2008         350  "At54.job"
at55.job      Aug 17 2008         350  "At55.job"
at56.job      Aug 17 2008         350  "At56.job"
at57.job      Aug 17 2008         350  "At57.job"
at58.job      Aug 17 2008         350  "At58.job"
at59.job      Aug 17 2008         350  "At59.job"
at60.job      Aug 17 2008         350  "At60.job"
at61.job      Aug 17 2008         350  "At61.job"
at62.job      Aug 17 2008         350  "At62.job"
at63.job      Aug 17 2008         350  "At63.job"
at64.job      Aug 17 2008         350  "At64.job"
at65.job      Aug 17 2008         350  "At65.job"
at66.job      Aug 17 2008         350  "At66.job"
at67.job      Aug 17 2008         350  "At67.job"
at68.job      Aug 17 2008         350  "At68.job"
at69.job      Aug 17 2008         350  "At69.job"
at70.job      Aug 17 2008         350  "At70.job"
at71.job      Aug 17 2008         350  "At71.job"
at72.job      Aug 17 2008         350  "At72.job"
    Other than the above, your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 18, 2008
    #7
  8. Vedren

    Vedren Private E-2

    Done and Done Thanks for your help! Here's hoping I don't have to visit this section of the forums in the future. Just out of curiosity what was the "name" of the virus I had? I know it was first detected as Trojan.Adclicker then as Trojan.Agent. I'm just wondering what the "street" name for it is.
     
    Vedren, Aug 18, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    The names you mentioned are the ones being used. You will often find that names are not always that useful since each scanner may invent there own name. And sometimes (like with this one) they may lump it into a category that many different infections are lumped under.
     
    chaslang, Aug 18, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds