benpao virus?

Hi

Indeed that is a trojan and to remove this trojan and any associated malware it may have brought with it please follow the below guide then attach all the logs requested.



Our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Please attach the logs. I see no sign of AVG Antispyware being run!

You need to run them and attach the logs. Without logs, we cannot help you remove your malare!

That means you did not follow the directions in the download links for the tools. Again, we need the logs to be able to help you.

So are we! Sorry no logs no help!

You even skipped step 2 and step 3 of the READ ME! Did you install AVG Antivirus instead of AVG Antispyware?? If so, uninstall AVG Antivirus and install what we requested in the READ ME. And run a scan and attach a log.

 

You need to be more explicit! We need these logs! You must explain what problems you are having. They are just DOS batch files that will normally run without a problem as long as you follow the directions on the download pages. And also you need to watch for the possible documented error messages.

You also need to follow the directions in the READ ME.

• You did not empty your Norton AntiVirus Quarantine as rquested in step 0!
• You still are violating step 3 of the READ ME. You have both AVG and Symantec antivirus applications installed. You must uninstall one.
• And I still suspect you did not do step 2 of the READ ME properly which is why your HijackThis executable is named with double extensions (analyse.exe.exe) instead of one extension (analyse.exe). But I cannot tell for sure until I get the GetRunKey log.

 

It does not show the extension because you did not follow ALL of the directions in step 2! Go back and see for yourself. You are still hiding file extensions!

That message indicates that you did not extract all the files from the ZIP file or that you are trying to run the batch file from inside of the ZIP file. What folder do you think you extracted all the files to? Right click Start and select Explore. Now in the Windows Explorer window, navigate to the folder where you believe that you extracted GetRunKey.zip to. What files are in the folder? (DO NOT double click on the ZIP file, that will only show you what is in the ZIP file. I want to see what folder you extracted to and what files are in the folder.)

 

Please download the attached MGtools.exe file to your Desktop. And then double click on it to run it. If it works properly you should have the two log files now.


Note: just close the newfiles.txt log that should popup when it completes. Then look for c:\newfiles.txt and c:\runkeys.txt
Are the files there? If yes, attach them. If not, did you receive any error messages.

 

In the snapshots you are showing. What is the folder name where you have Ccleaner, GetRunKey, Logfiles, ShowNew and Spybot Search & Destroy showing? Is is C:\DWM2

 

Was a C:\MGTools folder created? And if so, what files do you see in that folder.

Goto the link for Using GetRunKey and run the fix for the first possible error message (the one with the XPfiles fix). Make sure you allow the program to extract the files in the default folder which is the C:\windows\system32 folder

 

Also make sure you are not blocking the scripts from running. You antivirus program could be doing that. Shut down Symantec and see what happens.

Also attach a current HJT log?

 

Yes a reboot afterwards is recommended?

What is the below service for?
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)

Also what is the below?
C:\PROGRA~1\Alibaba\TRADEM~1\TradeManager.exe

From a command prompt, type the below:
set > c:\env.txt

This will create a c:\env.txt file. Attach this file here.

Also please uninstall CounterSpy since we are finished with it now!


Note: In case you don't know how to get a command prompt:
click Start, Run and enter cmd and click OK.

 

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to SysEnforce
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSysEnforce into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot

After reboot, check your HJT log! Is the below line now gone?

O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE (file missing)

I'm still baffled why GetRunKey and ShowNew will not run. Unless for some reason it runs now after uninstalling CounterSpy and fixing the above!

Are you having any problems at the current time?

 

In your environment Path, I see the below:

C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625

Do you know what these are for? What is MUVEET~1 which is an abbreviation for a longer folder name. The folder is in c:\Program Files\Common Files What is it and what is in the folder? Also there is a space in your PATH which is not allowed! We need to fix this and also maybe delete the above if they are unknown.

 

You're welcome!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!