Trojan Horse Downloader Generic9.CAXD infection

You have zipped the wrong files. There was no need for you to zip anything yourself because all we requested from you was the:

C:\MGlogs.zip

Without seeing that I cannot issue you with a complete fix so please attach it in your next reply.

Thanks
Kes.

 

• Download bootkit_remover.rar
• Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use7-Zip
• After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
• Attach or post inline here, the output from remover.exe

 

Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. We have used this fix many times without a problem but there is always a risk. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.


Also note if you have a Dell PC which uses a non-standard MBR, fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not continue but you risk serious problems leaving this infection in place and thus your only other option would be to try using the Dell Restore Utility to return a factory ship state which will remove everything you additional you have put onto the PC.


Now if you wish to try to fix this and have observed the above warnings and have backed up important data, please do the following:

• Click Start, Run then copy and paste the below into the Run box and click OK.

"%userprofile%\Desktop\remover.exe" fix \\.\PhysicalDrive0

• Now reboot your PC and after reboot continue with the below instructions.
• Disable System Restore on all drives.
• Look for the below folder and if if it sill exists, delete it.
  • C:\System Volume Information\Microsoft
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
  
  Then attach the below logs:
  • C:\MGlogs.zip

Make sure you tell me how things are working now! You do have some other infections besides the MBR infection that need to be fixed.

 

Power down the PC for a couple minutes and see then see if you can boot into normal mode. If normal boot mode does not work, first try safe boot mode and if that does not work try booting to Last Known Good Configuration.

Not sure. It's possible you had a non-standard type boot record on your PC.

Do you have your Windows XP Professional boot CD?

 

Yes!

 

You need to attach the requested new MGlogs.zip file. See the last fix.

Also are you having any more malware problems.

 

Just ignore it and continue.

 

Okay let's double check what your MBR looks like now.

• Double click the remover.exe file on your Desktop to run the scan part of the program.
• Attach or post inline here, the output from remover.exe.

NOTE: The Command Prompt window text can be copied to the clip board by right clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.

​

I see some items from Symantec in your logs but you are using AVG for an antivirus. Do you have anything else from Symantec/Norton still installed?

 

That looks good.


You did not answer my question about Symantec.

 

Yes I did but some questionable items turn our to be part of Protector Suite that you are using and I needed an answer on the Symantec stuff to work up a complete next procedure. So we are almost finished.

I've tried to research the Trojan / Black Internet malware but there's almost nothing other than people fighting it. What's the point of this one? [/QUOTE] Like most MBR infections the end goal may be to steal personal information; however, all of what it does has not been determined yet. Right now all most people know is that it is a major nuisance but I expect more is going on than just the nusiance aspects.


Please run the below then reboot. After reboot run it one more time.

Norton Removal Tool (SymNRT)


Now we need to use ComboFix to DeQuarantine some files

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Susan\Local Settings\Temp


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.


Now if you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Do my last fix up to and including CCleaner, but instead of running the final steps, do the below so we can see if it is really a return of the infection or just a detection of the previous infection that is really left over in system restore.

• On your Desktop, double click the remover.exe file to run the program.
• Attach or post inline here, the output from remover.exe

NOTE: The Command Prompt window text can be copied to the clip board by right clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

 

You are still clean. Complete all of the final instructions in message number 22 before worrying about anything reported by AVG. After finishing 100% of those instructions, if AVG still reports something, attach a log from AVG that shows exact what and where.