Trojan or Worm is Downloading stuff to my system

Hi a few days ago AVG detected a Trojan horse downloader and healed it, a day passed and then it detected another. I noticed stuff is being downloaded to my computer. I ran the steps in the readme, but I also did a system restore to a time before the problem. I hope I didn't screw up by running the system restore. I noticed new downloads have been made to my desktop after doing the system restore. If anyone could give me some advice on what steps to take next, I would really like to kill this thing( I mean kill the trojan not the computer of course).

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

• READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Ok Thanks for the help and big welcome!

I undid the system restore and retrieved all the logs, see attachments.

Another symptom is now occuring; when I try to open Firefox, I get an empty window titled "Alert". Lucky for me Internet Explorer is working.

 

Attached is MGlogs.zip

 

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Next, please go to the website below and upload each of these two files and post the results if anything is detected.

http://virusscan.jotti.org/

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Step 5:
Finally, I would recommend updating your antivirus to the most recent version. If you continue using AVG AntiVirus then I recommend your updating using the below link.

AVG AntiVirus Free Edition 8.0 Build 175a1382

If you choose to use another antivirus then I recommend Avast! AntiVirus or Avira AntiVir Personal.

Once you complete the steps above, reboot and let me know how things are running and if any problems remain.

 

Ok,

I followed your instructions except for step 5 as I'm not sure what to do with the files in the virus vault.

I still can't launch Firefox, I get an empty window titled "Alert" also I can't uninstall Firefox, I tried using add/remove programs and RegCleaner.

 

sorry for the double post but I just noticed the java updates still show in the add/remove programs list. and I can't remove them from the list.

Thanks

 

What were the results from Step 2?

You can empty the vault or if you plan on switching to Avast! you can choose to delete all files during the uninstall.

When you say "empty window" do you mean a Tab?

Can you post a screenshot?

 

Hi Thanks for the help,

step 2: found nothing

I mean an empty windows window I'll post a screen shot when I get a chance.

 

Here is the screen shot of what opens when I try to launch Firefox.

http://i273.photobucket.com/albums/jj217/hamilcar_photos/Firefox-screen-shot.jpg

 

Let's try to uninstall and reinstall, download Your Uninstaller! 2008 6.1, save to desktop and install. Run the program and uninstall Firefox.

Once you complete the above, reboot and then download a fresh copy of the most recent version of Firefox.

Mozilla Firefox 3.0.3

Let me know how things are once you complete this.

 

Hi, I didn't download "Your Uninstaller!" as I don't plan to buy it.

What I did was re-install Firefox, then I did a full uninstall with windows Add/Remove programs, reboot, then installed new Firefox. Seems to be working fine and launches way faster.

Any tips on how to remove those Java updates from the Add/Remove programs list?

Next I'm going to update my Anti Virus program do you think Avast is a better choice than AVG 8?

So do you think my system is clean now?

Thanks for your help, I really appreciate it.

 

You don't have to buy it to use it; you only have to buy it if you plan on keeping it. This is a 30 day fully functional trial version. BTW, Add/Remove doesn't do nowhere near the job Your Uninstaller! does in removing programs

I didn't see these in your log, which ones are you referring to?

JMHO, I recommend Avast! over AVG8 because I believe it's better and less bloated.

Yes, If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!