PC Infected by WIN:32 Light-D [cryp]

Good Evening,

I fear my pc is still infected with malware (trojans, worms etc..) and I am seeking YOUR HELP please! I have removed numerous trojans but I am still having issues. It happened a few days ago while I was playing on battle.net when out of the blue my avast went nuts. Trojans after trojan alert. And whenever I would move the infected file to my virus chect another file name would be presented by avast. After moving about 12 or so file to the chest avast alerted me that I needed to restart my system an run a boot scan. I have run numerous boot scans with avast and cleaned many infected files. My wallpaper was replaced with a black screen and my display properties were removed (logged in under admin) in control panel except for screensaver (resolution wallpaper etc were gone (no tabs)). My windows calculator has since been replaced by a "system info icon" that displays all of my system information. have also run spybot numerous times and it removed many many files (files stated as trojans and malware) and I thought I was safe. But I just ran another scan and more trojans were discovered in a temp folder. Those files appear to be gone now, but I am still worried about logging into my online banking sites and other information. I still haven't opened microsoft outlook for fear of e-mail being hijacked. The strange thing is when this happened ( and days before) I did not download any files--no torrents mp3's etc... nor have I opened any attachments--so I am puzzled as to how this happened in the first place. I am more than willing to make a contribution to your site via paypal if you are able to repair my system. I don't seem to have lost any data but I am worried about my security. I ahve un-installed IE&7 completely and am now using firefox which seems to be working fine (IE was not displaying pictures properly). I have attached my most current HijackThis log, and have two older logs I can send if it will help. I am sure I have left out needed/helpful info and I apologize for that in advance. Please let me know if there is any other info I may provide that will help in getting this resolved. Thank you so much for reading this---I know it's VERY long. Thank you, DR

 

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.
  Do not assume that because one step does not work that they all will not.
  
  Notes:
• If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
  Starting your computer in Safe mode
• If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Hi Lev,

Thank you so much for providing me that link. I was actually working off it this weekend, but lost the link when I uninstalled IE. I have run programs in the guide (I installed teatimer before I was supposed to, but it didn't notice any issues). Each program detected spyware/trojans/malware that the others of it's kind did. I finally got the prun.exe and it's baddies off as well in one of the last scans. All programs are coming up clean except for spybot which sees two PUPS from wildtangent. I'm not too concerned with those as I vaguely remember it being some game installed years ago on my machine. I am worried though that something could have gotten overlooked. This virus was massive, I ended up removing over 30 trojans and hundreds of malware--crazy! Would you mind taking a look at my latest hijackthis log. It sure would make me feel safer---I am still wary of logging into my financial websites. Thank you!

 

Re: PC Infected by WIN:32 Lighty-D [cryp]

Thank you Kestrel13!!

Here (attached) are three of the four logs files are requested. The maximum limit was three files at once. I will upload the MGlogs.zip in a reply. Please let me know if I may provide any additional info. I so appreciate your time and guidance!

 

Here is the MGlogs.zip file. Thanks!

 

Will do, thank you.

 

"O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <--- if you deliberately set this then do not include it into the lines to be fixed!"-----sorry about this. Does this means I had control panel open while the log was running?

"...also let me know how things are running now.."

I will complete your instructions this evening and let you know how things are going. My pc is already running much better than before. I haven't had any isssues with pop-ups or system crashes since I sent you the logs. I did run a superspyware scan last night which returned another 6 trojans and a rootkit. So it appears baddies are still lurking around. Thank you for taking the time to help me with this Kes, you rock!

 

Hi Kes,

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present ---One of the anti-spyware prgrams may have done this, I did not do intenionally>>>>I will "fix" this one.


"Do you mean SUPERantispyware?" Yes, that is the program I was referring to. I will run through the steps you have provided and post all logs this evening (about 3-4 hours) ---I'm still at work

I need to figure out the quote thing so I can be fancy too

Thank you!

 

Hi Kes,

I followed your instructions to the T sir. No problems were encountered on my end. The blasted TeaTimer came up after myreboot, but I selected the "allow" option as they were registry deletions of the files we "fixed" with combofix. Here are the files (attached). Hope you are enjoying your evening...I most def owe you a pint!
Thanks,
TX

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Before you do anything, you must kill Spybot’s TeaTimer as it will block parts of the fix.

How to disable Spybot's TeaTimer

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 4:
Now, we need to download and run FindAWF by noahdfear.

• Please download FindAWF by noahdfear.
  • FindAWF.exe
• Save to your desktop.
• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 2 then Enter to restore files from bak folders
  
• A text file opens called: files.txt
• Click below the line and paste the following list of files to be restored:

• Next, close and click Yes to save the changes.
  
• Once files.txt is saved, FindAWF does the following:
  • It attempts to terminate the process represented by each filename on the list, if running
  • Deletes the rogue file from the parent folder, if present
  • Copies the original file to the parent folder
• When done with the above, it automatically runs a new scan and opens a new log.
• Please provide the new FindAWF log in your reply.

Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• FindAWF Log
• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Hi bjgarrick,

Thank you for the information here. I will follow your steps this evening when I get home from work.

Thanks,
TX

 

Hi bjgarrick,

I followed all steps and everything executed successfully. I have not noted any changes, but I did not reboot after I ran C:\MGtools\GetLogs.bat (you did not instructed me to do so). I did notice this line in particular: "c:\program files\Alwil Software\Avast4\bak\ashDisp.exe. That should now make my avast icon reappear in my system tray again I believe, no? Here are the logs as requested. Again, uber thank yous to you and your site for the assistance here. Please let me know what else I may do to help.

Just wondering--Is there anything I should not do between the posts here? Like is it ok to surf and/or play games on battle.net? I want to make sure i'm not undoing anything here.

Thanks,
TX

 

First, are you familiar with this folder below?

We need to run FindAWF once more.

• Double-click the FindAWF icon.
  • If you receive any security alerts and/or warnings please allow the utility to run.
• As instructed, press any key to continue.
  
• Use the following option: Press 3 then Enter to remove bak folders
  
• A text file opens called: folders.txt
• Click below the line and paste the following list of folders to be removed:

• Next, close and click Yes to save the changes.
  
• Once folders.txt is saved, FindAWF does the following:
  • It deletes the contents of the bak folders
  • Removes the bak folders
• When done with the above, it automatically runs a new scan and opens a new log.
• Please provide the new FindAWF log in your reply.

 

Hi bjgarrick,

Yes, I am familiar with the folder C:\lainnoc033. It's a hosting bot used to host public games on battle.net. Info can be found here: http://div-league.tk/. Do we think there is an issue with this? I no longer use that application, instead I use another. Should I delete the folder C:\lainnoc033 and its contents?

Here is the FindAWF Log as requested (attached).

Thank you,
TX

 

Hello,

I just ran a boot scan with my antivirus avast which discovered another 6 trojans. I have attached the boot log is in it's entirety, which includes all boot scan results. Please scroll to the bottom of the log which details the scan run on 11/15/08. It appears the infected files were all located on my restore partition D. I hope this helps.

Thanks,
tx

 

We will address those detections in my final instructions. Let's confirm your system is clean.

We need to run FindAWF by noahdfear once more.

• Double-click the FindAWF icon.
  • If a Security Alert shows, allow the program to run.
• As instructed, press any key to continue.
• Use the following option: Press 1 then Enter to scan for bak folders
• The scan may take a while, please be patient.
• When done, a text file, Find AWF report is produced.
• Please attach the Find AWF report in your next post.

 

Hi bjgarrick,

Here (attached) is the FindAWF log.

Thanks!
tx

 

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Once you have completed the instructions above, please run my previous post (#21) again and attach a fresh log along with the log from Avenger.

 

Hi bjgarrick,

Avenger log attached.

Thanks!
tx

 

Please attach a fresh log from Post #21.

 

So sorry, I didn't notice that last instruction until after I had posted.
Here is the missing FindAWF file. Looks like it worked!

Thanks,
tx

 

Looks good, to confirm everything else is clean, run the C:\MGtools\GetLogs.bat file by double clicking on it and attaching the new log.

 

Here are the logs..

Thanks!
tx

 

Finally, we need to run Avenger once more just like you did before.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Once you complete the above, let me know how things are running.

 

Although not requested, here is the last avenger file.

Things seem to be running just fine.

Do we think my pc is infection free now?

The most irritating part of this is not knowing why this occurred in the first place!!! Arrg :mad, darn baddies out there.

Thanks so much
tx

 

Yes, your logs are clean, if you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. If we had you run Avenger, you can delete all files related to Avenger now.
5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. Go to add/remove programs and uninstall HijackThis.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I would like to start by expressing my sincere gratitude to you, Kestrel13, Lev, and the which you represent. All instruction I received was of the utmost helpful nature, and totally exact.

A few quick parting questions however if you would be so kind :

I see avast is listed as a recommended anti-virus: would you suggest I continue to use this after the infection that has occurred? if so, is there a way to get my avast icon back in my system tray? If I double click the ashDisp icon located in C:\Program Files\Alwil Software\Avast4, it will reappear (does not appear as it used to upon system start).

I will purchase Superantispyware. Thank you.

What software firewall would you use? Is zonealarm pro the best choice?

Firefox will now replace my IE browser which seems to have done me so wrong. Should I uninstall IE?

Again my sincere appreciation to all of you for your professional assistance.

Best,
tx

 

I personally use Avast! AntiVirus, there are things about it I do not like but it is free and does a good job. I would try to uninstall, download a fresh copy and reinstall if you keep Avast!. The other recommendation would be AntiVir Personal Edition.

I personally use and recommend Comodo Firewall. It's easy to use and does a good job, and it's free.

I recommend Firefox over IE however my personal favorite is IE. I would leave IE as is but use Firefox. It's up to you though.

You're Welcome!:major

 

Hi bjgarrick,

Thanks for the application and program advice here. Comodo is working like a charm!!!

Take Care,
tx

 

You're Welcome!

Surf Safely!:major