Help Needed: SHeur.ALBZ Trojan found!

Discussion in 'Malware Help (A Specialist Will Reply)' started by aquaman8, Feb 29, 2008.

  1. aquaman8

    aquaman8 Private E-2

    Hi,

    I was using IE6 on the web about 3 weeks ago, when I got an alert that AVG found this, gave me the message on the screen, then blue screen of death, then my laptop computer re-booted. When I was in windows, trying to execute windows explorer, resulted in the hourglass, but no IE explorer. I needed the computer for a business trip and loaded Firefox and it worked ok.

    Since then, the computer has been acting odd. Last week I got a trojan Adware W32.ExpDwnldr message a couple of times. As well. I noticed that at least 3 times, IE explorer opened up on a website and there seemed to be activity. Fearing the worst I closed IE explorer immediately.

    I have run through the recommended Clean-up and Windows 2000 &2003 cleaning procedure.

    I just got great and appreciated help for my wife's desktop from Chaslang and hope that someone can help me out with my laptop.

    I have attached the requested logs.

    Thanks in advance to a great resource!

    Mitch
     

    Attached Files:

    aquaman8, Feb 29, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 1

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Mar 1, 2008
    #2
  3. aquaman8

    aquaman8 Private E-2

    Good Morning TimW,

    Thanks so much for helping me out with this, it is greatly appreciated!

    I followed your instructions and have attached the requested logs.

    Curious about 2 things

    1) ln HJT Fix instructions saw the

    020 Winlog Notify byjuscrk....

    what is this? I am paranoid about keystroke senders and this sounds like one to my naive eye..am I being needlessly paranoid?

    2) When I was downloading the JAVA update I noticed activity in my browser sending info to something like kona or or kona.criteria or something...more needless paranoia on my part or should I be worried?

    I know that you guys are busy just helping us get our machines clean but if you could point me somewhere to get a little background info it would be great!

    All the best,

    Mitch
     

    Attached Files:

    aquaman8, Mar 2, 2008
    #3
  4. aquaman8

    aquaman8 Private E-2

    Hi,

    You asked how the computer was running, and something odd just took place.

    IE6 just self launched and went to a securepccleaner.com site. I did nothing and a few minutes later I got a IE6 error message. I have attached the cleaner website address as well as the error messsage in a text file.

    Does something still have control of my IE6?

    Thanks,

    Mitch
     

    Attached Files:

    aquaman8, Mar 2, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to disable ALL anti-virus and spyware programs while we do the following:
    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now uninstall:
    LiveReg (Symantec Corporation)"
    LiveUpdate 2.6 (Symantec Corporation)

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Be sure to tell us how things are running.
     
    TimW, Mar 2, 2008
    #5
  6. aquaman8

    aquaman8 Private E-2

    Hi,

    Followed your instructions, except the uninstall of the Symantec programs. I have Norton Ghost running and got a warning not to uninstall. What should I do?

    Attached please find the zip file.

    Thanks again,

    Mitch
     

    Attached Files:

    aquaman8, Mar 2, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Mar 3, 2008
    #7
  8. aquaman8

    aquaman8 Private E-2

    Good morning,

    Booted up my computer this morning and after a few minutes (I only ran Process explorer to observe behavior, then exited the program) it auto-launched IE to advanced-cleaner.com site. AVG caught a virus (identified it as JS/Psyme) as IE6 opened and I quarantined the virus.

    Something still hiding on my machine?

    I ran MG Tools (GetLogs.bat) and log is attached.

    Thanks,

    Mitch
     

    Attached Files:

    aquaman8, Mar 4, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That item may have been in your temp internet files ....but I am not seeing anything...if you wish Go to Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Mar 4, 2008
    #9
  10. aquaman8

    aquaman8 Private E-2

    Hi TimW,

    I had to use my IE6 as browser to use the Bitdefender scanner. I started this oddessy when I lost the ability to open it. I did open it, but I was redirected to another site. I exited IE6 and restarted and finally got to the Bitdefender site. I ran the scan, but when I went to save it, I had no choice but to save them as html files. I changed the file type back to .txt to be able to attach it

    As noted in an earlier earlier email I have experienced auto launch of IE6 several times in the past few days.

    Attached please find the Bitdefender file. Should I also run MGTools?

    Thanks,

    Mitch
     

    Attached Files:

    aquaman8, Mar 4, 2008
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yup...temporary internet files ....
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Make sure you remove all temp files!

    Now how is it working?
     
    TimW, Mar 5, 2008
    #11
  12. aquaman8

    aquaman8 Private E-2

    Hello TimW,

    Thank you for the reply. I ran ATF and cleaned out the temp files.

    System appears to be running ok now. I'll monitor and get back if issues arise.

    Thanks to this site and especially to you hard working experts that take the time to help us when we get ourselves into trouble.

    You guys are great!

    Thanks again,

    Mitch
     
    aquaman8, Mar 6, 2008
    #12
  13. aquaman8

    aquaman8 Private E-2

    Hi TimW,

    I spoke to soon!

    Just clicked on My Computer icon, then on my C: Main drive and IE autolaunched to

    SECUREPCCLEANER

    site. I closed the IE window, clicked on a folder on my c: drive, then IE opened again, this time to

    TRUSTEDANTIVIRUS.COM

    site.

    Where is this virus hiding!!!??? Has it somehow inserted itself to my Windows Explorer file?

    Help!


    Mitch:cry
     
    aquaman8, Mar 6, 2008
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run both MGTools and ComboFix again and attach the logs ...yes it is hiding.
     
    TimW, Mar 7, 2008
    #14
  15. aquaman8

    aquaman8 Private E-2

    Hi TimW,

    I ran Superantivirus overnight after posting my last message. In the AM I found that it had identified a trojan which it classified as

    trojan.Unclassified-Packed/Suspicious

    I quarantined it, then ran ComboFix (using KillAll as described) and then MGTools using GetLogs.bat. The requested logs are attached.

    A quick look at Hijackthis log shows something I was wondering about for a while, that being

    C:\WINNT\system32\dmscriptt.dll

    it is now provided with (file missing) as I believe that Antispyware removed it. Was this generated by some other program, as I noticed it appears quite a few times, and many more times than in one of my earlier Hijack this logs.

    Thanks,

    Mitch
     

    Attached Files:

    aquaman8, Mar 7, 2008
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I researched that file and could find nothing definitive ....so let's kill it. :)

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now how are things?
     
    TimW, Mar 7, 2008
    #16
  17. aquaman8

    aquaman8 Private E-2

    Hi TimW,

    Just a quick question before I execute your instructions.

    First, the 3 enteries you asked me to fix in Hijack this log are no longer present in my current Analysethis log. There are still 10 entries ending with

    .....system32\dmscriptt.dll (files missing)

    but the numbers contained within the { } brackets are no longer the same.

    Is there a reason why you wanted me to just check 3 of the 10 dmscriptt.dll entries? I am definitely NOT second guessing you, I am just trying to understand what we are doing. Sorry if I am wasting some of your time!

    I have attached a my latest MGTools log if that helps. Hopefully my machine won't change beforfe you get back to me! I'll leave if running but not used it until I hear from you
     

    Attached Files:

    aquaman8, Mar 7, 2008
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    They were all that showed in the previous log ...so if there are more ...kill them!:)

    Do the reg. patch after HJT and then get me a new MGLogs.zip
     
    TimW, Mar 8, 2008
    #18
  19. aquaman8

    aquaman8 Private E-2

    Hi,

    OK. I turned off all antivirus programs and then

    1) Ran HJT and fixed 10 versions of the dmscriptt.dll (file missing).

    2) Then ran your provided regeditf fix.

    Attached is MGTools log.

    Thanks for your help and patience with this!

    Mitch
     

    Attached Files:

    aquaman8, Mar 8, 2008
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The items are gone ...tell me if you have any other issues. :)
     
    TimW, Mar 8, 2008
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds