Malware on Computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by stormbringer1, Oct 31, 2010.

  1. stormbringer1

    stormbringer1 Private E-2

    Hi, I have been trying to removal malware from my computer for a few days now.

    1) on boot up (Oct 22), the Trend Chip Away Virus screen appeared. I continued booting up, and there was clearly a boot virus. The CPU utilization went to 100% (files such as ujq.exe, ujs.exe were running, all of the browsers kept crashing, and the look of the desktop changed). I tried to run online virus scanners, but could not.

    2) Before I found this website, using various tools and scanners, several viruses were detected and removed, including:
    Gen:Variant Vundo 4 (found with Trend Micro PC-Cillin)
    TROJ_INJECT.AMW (found with Trend Micro PC-Cillin)
    TROJ_SPYEYES.AB (found with Trend Micro PC-Cillin)
    Trojan Fake Alert (found with MalwareBytes)
    Trojan Downloader (found with MalwareBytes)
    Worm Palevo.Gen (found with MalwareBytes)
    and finally Rootkit.TDSS, which I removed using Kaspersky TDSSKiller

    3) There still seems to be issues with respect to various system settings that the malware changed. I followed your malware removal procedure up to running ComboFix, but ComboFix does not execute.
    I get popup windows "32788R22FWJFW\iexplore.exe" (also n.pif, hidec.exe, and nircmd.cfxxe) stating that 'Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item'
    How should I proceed? Thanks.

    4) I can't open/locate the SAS logs, although they are listed under the Statistics/Logs tab. When I click on them, nothing opens. The MalwareBytes logs were generated earlier, but now have been deleted somehow.

    I am running Windows XP Home SP 3.

    Thanks for any help you can provide!
     

    Attached Files:

    stormbringer1, Oct 31, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What happened when you tried to run MGTools.exe? Did that produce the log at C:\MGLogs.zip?

    Have you tried renaming ComboFix to say abc.com? Does it run then?
     
    TimW, Oct 31, 2010
    #2
  3. stormbringer1

    stormbringer1 Private E-2

    When I try to run MGTools.exe, I immediately get a popup with GetLogs.bat in the title bar, and the same message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access this file", and then another window with "Error" in the title bar, and the message "Failed to run GetLogs.bat, working dir = \MGTools (check to see if this file is in the EXE)"

    ComboFix does not run, regardless of its name. Same windows keep popping up.

    I have also seen the window with "rundll32.exe" in the title bar pop up.

    thanks.

     
    stormbringer1, Oct 31, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator


    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif


    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.

    If you are having problems running Rkill, you can download iExplore.exe or eXplorer.exe, which are renamed copies of Rkill.com, and try them instead.

    * If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run then try to immediately run the following.

    Now download and Run exeHelper from Raktor

    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now see if you can run MGTools.exe.
     
    TimW, Oct 31, 2010
    #4
  5. stormbringer1

    stormbringer1 Private E-2

    Ran Rkill.exe
    Ran exeHelper.com (log attached).
    Same result (popups) with MGTools.exe, but apparently it does unpack all the files to C:\MGTools
    I ran GetLogs.bat (MLogs.zip attached).

    Thanks.
     

    Attached Files:

    Last edited by a moderator: Oct 31, 2010
    stormbringer1, Oct 31, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. You can use windows explorer to find and delete:
    C:\WINDOWS\Tasks\WKJMSXO.job

    Otherwise, tell me what malware issues you are still having, if any.
     
    TimW, Oct 31, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds