Atraps

spring mist · Jul 5, 2009

Hi,

I installed avira a few weeks ago and it detected TR.ATRAPS.gen, although avira deleted them (there were 3), I ran the "read and run first," just in case, those scans did find a few more things that were also taken care of. So i'm just posting to see if anything else is wrong with my computer. Here are the logs from the "read and run" programs.
Thanks.

spring mist · Jul 5, 2009

here's the other log from my scans.

Kestrel13! · Jul 6, 2009

Please open up Malware Bytes > let it update > re scan > fix all it finds > and attach the new log into your next reply.

I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Thanks for your patience during this time.

Kes

spring mist · Jul 7, 2009

hi
here's the malwarebytes log. It didn't find anything new.

Kestrel13! · Jul 10, 2009

1. Please go to add/remove programs and uninstall the following software:

Ad-Aware 2007 <--- 2 years out of date

Spyware Guard <--- look for this to uninstall, if you do not find it then please reinstall and then uninstall again.

Also: MarketBrowser <--- Did you intentionally install this? Let me know, could be that it was already installed on this PC when you got it.

2. If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

There are still remnants from Norton on your machine:

3. Please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.

4. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

After clicking Fix exit HJT.

5. Can you tell me what these bold files are for?

C:\Documents and Settings\Owner\ml2.srt
C:\Documents and Settings\Owner\ml1.srt

6. Delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

C:\Documents and Settings\Owner\Local Settings\TEMP
Click to expand...

7. Now we need to use ComboFix to remove some dead BHO's and also clean up from remnants of avg and norton.

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
c:\windows\Tasks\Symantec NetDetect.job
c:\program files\Symantec\LiveUpdate\NDETECT.EXE 


Folder::
C:\Program Files\AVG

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

8. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

9. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Click to expand...

spring mist · Jul 10, 2009

Hi,

#1 I didn’t install marketbrowser.

#2 Thanks for telling me windows messenger was different from msn messenger!

#4 the bho spywareguard wasn’t there, but I deleted the other two bho's

#5 I have no clue what these files are for:
C:\Documents and Settings\Owner\ml2.srt
C:\Documents and Settings\Owner\ml1.srt

I couldn’t open either of them because a sign appeared saying windows needed to know what program created these files, that I could go online or pick a program from the computer. I chose not to go online, should I? I also used the search feature and found that these files are also within the Administrator, Default User, Guest and Owner accounts and in C:\WINDOWS\config\systemprofile

#6 For the C:\Documents and settings\owner\local settings\TEMP I deleted the files but there was also a folder inside marked “messenger cache” should I delete the folder too?

By the way while running one of the programs, I think it was combo fix, my desktop picture changed.

I also got the following error message while running C:\mgtools\getlogs.bat:
.NET Framework initializing error
To run this application you must first install the following version of .NET Framework: v1.1.4322

spring mist

Kestrel13! · Jul 13, 2009

Follow thru the below steps in order:

1. Please uninstall the below software:

LiveUpdate 1.7 (Symantec Corporation)

Now go back to my post #5 step number 3 and give the Norton removal Tool a run.

3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Thanks
kes

spring mist · Jul 14, 2009

Hi,

When I tried to unistall the LiveUpdate 1.7 (symantec corporation), an error message appereared saying, "it may have already been unistalled, would you like to remove it from the add/remove list" so I removed it.

Thanks for your help,
spring mist

Kestrel13! · Jul 15, 2009

Hi there

All is good -

Just need to do this:

Delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

C:\Documents and Settings\Owner\Local Settings\temp

Then finally....

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

spring mist · Jul 16, 2009

Wow thanks, I had quite a bit of stuff on my computer I didn't know about.

After running MGclean.bat, I still had the MGlogs folder left over, do I leave it?

spring mist

Kestrel13! · Jul 16, 2009

You can get rid of the folder

Take care, and you're welcome for the help!

Log in or Sign up

Atraps

spring mist Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 07-02-2009 - 20-57-04.log

mbam-log-2009-07-02 (22-31-21).txt

ComboFix.txt

RRlog.txt

spring mist Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

spring mist Private E-2

Attached Files:

mbam-log-2009-07-06 (22-18-16).txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

spring mist Private E-2

Attached Files:

MGlogs.zip

ComboFix.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

spring mist Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

spring mist Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member