Trojans: Mirindaspm, Adtomi - deletion?

Discussion in 'Malware Help (A Specialist Will Reply)' started by toolio20, Feb 10, 2007.

  1. toolio20

    toolio20 Private E-2

    Hi, I am new here, and this IS my first post, so if I futz something up plz don't rip me a new one.
    I'll be as concise as I can. I noticed 2 files all named Mirindaspm in my windows directory, and a google search revealed this is a Trojan. I ran Ad-Aware, which detected and "quarantined" it, but I wasn't satisfied with this as the files were still present after AA's "action." Which led me to this site. I dl'd the progs and ran through the various scans (except for Bitdefender, which wouldn't run) and will post the resulting logs. Trojans are being DETECTED, but I'm really wanting to REMOVE them, which no program seems willing or able to do thusfar.
    Any helpful advice would be seriously appreciated.
     

    Attached Files:

    toolio20, Feb 10, 2007
    #1
  2. toolio20

    toolio20 Private E-2

    the other log
     

    Attached Files:

    toolio20, Feb 10, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please run this Gromozon Rootkit Removal Tool and attach a log.

    Then also please also attach a HijackThis log per the directions in step 7 of the READ & RUN ME.

    Also uninstall the below old versions of software:
    Java 2 Runtime Environment Standard Edition v1.3.1_02
    Mozilla Firefox (1.5.0.9)
    Viewpoint Media Player (Remove Only) <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox


    You don't appear to have an antivirus or firewall installed! Why not?
     
    chaslang, Feb 10, 2007
    #3
  4. toolio20

    toolio20 Private E-2

    Wow, these infections are hardcore...

    I followed all the steps you listed in your gracious and timely reply (thanks for that, btw) but the results were... sadly amusing. Long and short, Counterspy still is picking up the Gromozon Trojan, but the app that supposedly gets rid of it doesn't even detect its presence. Log is enclosed.

    I went back into safe mode and was able to get connectivity - the Bitdefender scan picked up nothing, thus no logfile, and Panda found even more stuff. Also find the HJT log.

    I really appreciate your help in this - I'm really trying to avoid formatting, but since the Gromozon remover can't even detect the thing on my box...:eek Do you think this problem is solvable?
    Thanks again!

    p.s. my bad on the Viewpoint Media Player, and my anti-virus/firewall is Zone Alarm
     

    Attached Files:

    toolio20, Feb 10, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I missed one of the other old versions of Sun Java last time. Uninstall the below too:
    J2SE Runtime Environment 5.0 Update 6
    You did not install the current version as I requested in message number 3! You need to do this now.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.

    Now reboot in safe mode and use Windows Explorer to delete the below files:
    c:\windows\system32\lpt4.ago
    C:\WINDOWS\3n73.sys
    C:\WINDOWS\mirindaspm.exe
    C:\WINDOWS\system32\3n73.sys
    C:\WINDOWS\system32\mirindaspm.exe
    C:\WINDOWS\system32\obl513.dll
    C:\WINDOWS\system32\zbtzbn.exe

    Now run Ccleaner.

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew


    Make sure you tell me how things are working now!


    You can also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
    C:\Documents and Settings\INDO\Local Settings\Application Data\Sunbelt Software
    C:\Diagnostic Programs\CounterSpy
     
    chaslang, Feb 10, 2007
    #5
  6. toolio20

    toolio20 Private E-2

    Wow, I'm just floored...

    First of all, thanks for your help, I am MOST appreciative. Unfortunately, I went ahead and reformatted:cry which got rid of most of the problems. Except for one, which wasn't really a problem at all but rather a false positive due to a bug inherent in CounterSpy. Take a look at this:

    http://www.castlecops.com/p896192-Gromozon_problems_please_help.html

    I wish I had seen that page sooner, but I'm not complaining - this experience has been thoroughly educational, and I'm positive my box is FAR better protected now than previously. :major

    chaslang, you seem truly dedicated to helping users sort out their malware issues, and don't mistake this for kissing your arse, but I do want you to know I recognize... MAD props, dude.

    The reinstall carries on - peace
     
    toolio20, Feb 12, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Feb 14, 2007
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds