Fake Trojan Infection Warning

Received small popup window (not mimicking Windows Security Center this time) stating a Trojan had been detected and directed us to download a program to repair/fix. Window would not close.

Have run Read First and Run steps and now cannot open Firefox or Microsoft Office programs for the originally infected user. Other accounts are not affected in this way. Only programs that run for infected user after scans are IE 8.x and Acrobat Pro.

Logs attached in one zip file.

 

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Delete the following file:
C:\Documents and Settings\All Users\Application Data\55tmrt16x1a2h40

The rest of your logs are clean.
_______________________________
Let me know exactly what happens whenever you attempt to run Firefox or Office. Make note of any error messages.

In fact let's also run this scan:

http://img706.imageshack.us/img706/3941/minitoolbox.gif Please download MiniToolBox and save it to your desktop and run it.

Checkmark following checkboxes:

• Flush DNS
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List last 10 Event Viewer log

Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

Dis/Rem Messenger run. File deleted. Log for Mini Tool Box attached.

Attempts to run Firefox bring up the Open With/Choose From dialog box. Attempts to run Office bring up an empty dialog box with a red X for closing and no message.

 

Sorry, wrong info about the error message when attempting to open Office programs. Run an Office application and it brings up a dialog box with a circular red X in it with the message Application not found. This message can be closed with the normal red x in U/R corner.

Attached is also a screen shot of error message when an attempt is made to run a control panel (in this case, the User control panel).

 

What's the target path of the office shortcuts you are trying to use?

For example if you right-mouse click the shortcut and select Properties:
http://4.bp.blogspot.com/-0UtNEZwas0I/TxYy2jCp5mI/AAAAAAAAAJ4/gvMGY4-0Ksc/s1600/hjtshortcuts.png

 

Shortcut target is a generic title "Microsoft Office 2007" for Office programs and grayed out (uneditable even as admin). Other application shortcut's have a Target of the actual exe, but when dbl-clicked produce the Open With dialog box. The target location for Office programs is blank. In Acrobat, Target location simply says Acrobat.

If I navigate to the actual exe, the Open With/Choose Program window pops up.

Control Panels when run yield the screen shot below about not having access to rundll32.

Exception is IE. However, I just discovered that if you go to a file associated with a program (a .txt file for Notepad, a .docx file for Word) and double click on it, the program will run and act normally. This is why Acrobat seemed to work earlier, however, its shortcuts have been affected as well.

 

Try the below:

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop on the PC with the infection.

Open up this newly created folder and then open the "files" folder (...\windows repair v1.6.0\files)
From here, locate the fix_exe_hijack.inf file and then Right-mouse click it one time, then choose "Install".
Once you have done this, you should now be able to open applications again.
Let me know the results or if you need additional help.

http://img205.imageshack.us/img205/4783/regeditb.gif Also download the .lnk fix from here.
Merge linkfile_fix.reg into the Windows Registry.

 

Fix_exe and lnk_fix both ran without issues and exe files will open and shortcuts seem to function.

Now that I can see Firefox on the infected users login, it has the Start Now toolbar. Google has various reports that it is spy/adware. There is no entry in Add/Remove for this program.

I also see Fox Tab converter which a cursory search of Google does not list as spy/adware, but from the results looks hard to uninstall. There is an installer listed for Fox Tab.

Are you familar with either and would you have a suggestion for the best way to remove either?

 

I think the easiest way would be to uninstall FireFox. Plus that user has a really old version of it: Mozilla Firefox (3.6.2)

If you need to backup their bookmarks first: Click here

The latest stable version is v9.0.1

 

Uninstalled Firefox and that took care of Start Now toolbar. The Fox Tab PDF converter uninstaller ran but hung up when it could not find it's exe, which I believe was deleted by one of the scans. Used ccleaner to remove its listing.

Computer seems to be performing well now.

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!