Complete Trojan takeover, calling in re-inforcements!!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Sureal, Jan 12, 2008.

  1. Sureal

    Sureal Private E-2

    Hello all,

    I come now to you for your divine guidance and knowledge, I appreciate all assistance and/or advice from you all and I hope we can resolve this as it is causing complete chaos.

    I have reviewed the stickies and read me's and followed the procedures there and have had no luck.

    Ok, now the prolem. A few days ago my anti-virus software subscription expired and before I could even get a chance to re-subscribe my system went haywire. It would lock up so bad it would cause a critical error and shutdown. During operation of the computer program shortcuts would just appear on the desktop. Most of them were related to removing spyware/malware (funny huh) trying to get me to buy something.

    I tried some common removal procedures and nothing worked. In about a 5 hour span the problem got so bad that the computer shut down and would not be able to boot it into windows. Blue screen of death was now haunting me.

    I decied to then totally re-install windows and back-up my files. Everything was successful with the re-install. I got windows totally updated. Got anti-virus again. everything was going well for about 3 days. Once I got all myfiles back over from the back-up things went downhill again. Now InternetExplorer just pops up random BS and I am getting weird fake Windows System error messages that bring me to ad pop ups if clicked. Also Mcafee keeps finding and removing Trojans but they keep coming back and in the same files too. Anti-virus also removed a file mllmm.exe from the windows system files and now I get errors on start up from that with windows saying it cant find the file and it needs it (go figure). The problem is so bad I could barely open this window to request help and Im scared to turn off the computer.

    What I've been using...

    Mcafee Security Center
    Spybot S&D
    XoftSpy
    Ad-Aware
    Windows Defender
    VundoFix
    Ccleaner

    None of those have worked. I will be forever grateful to any help that can be provided. Please also let me know what Logs to post and I will do so gladly.

    Thank You So Much.

    P.s. Sorry for the long post, I wanted to make sure all information was given, although I know I probably forgot something. :) :)
     
    Sureal, Jan 12, 2008
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi and Welcome

    As you have mentioned you read and followed the stickies and the Read Me, then please do run the steps below again to get a fresh new set of logs and attach them to your next post in this thread.

    READ & RUN ME FIRST. Malware Removal Guide

    So logs that you will get to attach are:

    MGlogs.zip (which has 5 logs inside it, including Hijackthis, just attach the whole Zip )
    AVG
    Combofix logs.

    http://img144.imageshack.us/img144/9164/90482430fa4.jpg


    After these are attached our malware experts will review these to see if your OK, if not they will issue you some further removal instructions for your specific malware infestation.
     
    DavidGP, Jan 13, 2008
    #2
  3. Sureal

    Sureal Private E-2

    Halo,

    Thanks for the reply.

    I revisited the FAQ and I totally missed the cleaning procedure, lol!

    I ran everything as instructed and I think the problem is gone but only time will tell :). Even though I had the box checked for SpyBot to make a log everytime it scanned, it did not make one so I do not have that attached. Thanks again for taking the time!

    P.s. I have a huge red X over my hard drive Icon now. Any idea why this is? Oh also I have alot of pos files in my root folder now, what are these and can I clean them up?.
     

    Attached Files:

    Sureal, Jan 14, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run:
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Make sure you have removed all temp. files from:
    C:\Documents and Settings\Buck\My Documents\

    Download and save RenV.exe to Desktop (must be on the Desktop)
    * Doubleclick RenV.exe
    o When finished, it will produce a new log named Log.txt on the Desktop.
    o Attach this log to your next reply.

    Now Re-run ComboFix and attach that log.
     
    TimW, Jan 14, 2008
    #4
  5. Sureal

    Sureal Private E-2

    New Logs!! Thanks Again!
     

    Attached Files:

    Sureal, Jan 14, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now Copy the bold text below to notepad. Save it as Log.txt to your desktop.
    * Now using your mouse, drag Log.txt onto RenV.exe
    * When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
    * Run ComboFix
    * Run C:\MGtools\GetLogs.bat by double clicking on it.
    * Attach the below new logs:
    o Log.txt
    o C:\ComboFix.txt
    o C:\MGlogs.zip
     
    TimW, Jan 15, 2008
    #6
  7. Sureal

    Sureal Private E-2

    New logs!

    I watched RenV run and it kept saying it could not find the files. Just thought I would let you know.

    Thanks Again, I appreciate all your help!

    -=Sureal=-
     

    Attached Files:

    Sureal, Jan 15, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We missed one.....
    First:
    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.
    Copy the bold text below to notepad. Save it as Log.txt to your desktop.
    Now using your mouse, drag Log.txt onto RenV.exe
    * When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
    * Run ComboFix
    * Run C:\MGtools\GetLogs.bat by double clicking on it.
    * Attach the below new logs:
    o Log.txt
    o C:\ComboFix.txt
     
    TimW, Jan 15, 2008
    #8
  9. Sureal

    Sureal Private E-2

    Here's the new ones :) :) :)!!
     

    Attached Files:

    Sureal, Jan 15, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It still was not removed ....let's do it again (are you sure you took the notepad txt and drag and dropped it on the RenV.exe icon?)

    download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Re-run RenV.exe and also attach that log.
     
    TimW, Jan 16, 2008
    #10
  11. Sureal

    Sureal Private E-2

    Tim,

    Ok I re-ran the procedure as you asked and also followed the avenger procedure to a T, but I still don't think it worked.

    I also noticed the file we were after doesn't seem right, it may be a typo but in both of your posts it is written hpcmpmgr .exe..But should it be hpcmpmgr.exe??

    Even so I tried it both ways with the same results. Ill attach the logs. Thanks for your help. Ill look forward to hearing your input..

    -=Sureal=-
     

    Attached Files:

    Sureal, Jan 19, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No...it is what the new Vundo does ...files with multiple spaces after the name and before the .exe.

    * Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).
    Code:
    C:\Program Files\HP\hpcoretech\hpcmpmgr  .exe
    • Now using your mouse, drag Log.txt onto RenV.exe
    • When finished, RenV.exe will produce a new log names Log.txt on your Desktop.
    Attach the new log.
     
    TimW, Jan 19, 2008
    #12
  13. Sureal

    Sureal Private E-2

    Tim,

    I did exactly as instructed, I hope it worked :)

    -=Sureal=-
     

    Attached Files:

    • Log.txt
      File size:
      285 bytes
      Views:
      1
    Sureal, Jan 19, 2008
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds