Infected w/Dowloader Trojans etc.

Discussion in 'Malware Help (A Specialist Will Reply)' started by gmad, Jun 9, 2006.

  1. gmad

    gmad Private E-2

    Hi there, thanks ahead of time for the help, you guys ROCK!

    I was infected with a multitude (I think) of malware. Not exactly sure how I got it either. Started out getting pop-ups from Windows Security Center. Then weird stuff started happening like couldn't open IE, couldn't type in PW to log in to Safemode (Computer would freeze). Computer was mega slow, bla, bla, bla....

    So, I came here. I followed your advice tit-4-tat and things have improved dramatically. I actually thought I had it licked but my ISP redirected my Homepage recently to a warning that my 'puter was spamming.

    So, I went through the whole MajorGeeks suggestion page to remove malware. (Except, I still am not sure about the Sytem restore part, and think I am being reinfected upon startup.


    I've attached my computer info, Ewido log, BitDefender log, and HJThis log.
     

    Attached Files:

    Last edited by a moderator: Jun 9, 2006
    gmad, Jun 9, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    First a couple questions:
    • where is the log from PandaActiveScan?
    • Is Ewido a free trial or a paid version?
    • why are you running this PC with no antivirus application?
    • why are you running this PC with no real firewall application? I say real because if you are relying on the WInXP SP2 firewall, it is not a real firewall.
    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\system32\susp.exe
    C:\WINDOWS\system32\taskdir.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 9, 2006
    #2
  3. gmad

    gmad Private E-2

    Thanks so much for your help Chaslang!


    Greg Responds:

    I was not offered to save a log from the free version of Pandscan that I know of.
    Ewido was free too.
    I have tried to use Norton twice and it was nothing but a HUGE pain. It kept blocking my email and www access.
    Firewall- I plead ignorance.


    I did all of the steps you suggested. I will copy my latest HJT log as requested at the end of this post.
    The only abnormal thing I saw upon rebooting into normal mode was the lil pop up window in the lower right from Windows Security Alerts.

    Also, when I was deleting the files you requested, I could NOT find C:\WINDOWS\system32\susp.exe
    I was able to delete the other though.

    Two final questions: Am I to NOT shut down my computer until complete the following? Does restarting reinfect me until we do this?: "Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe."

    Edit by chaslang: Inline log attached
     

    Attached Files:

    Last edited by a moderator: Jun 12, 2006
    gmad, Jun 12, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The directions tell you what to do to create a log when the scan completes.

    Then uninstall Ewido!

    There are many alternatives to Norton and we even have three very good free choices I will give to you later.

    Free firewall's are in the directions I will also give later (when we finish all cleanup).


    Please remember to ALWAYS attach logs! Do not post them inline like you did.

    Did you forget to fix the below or is it coming back? Try again and tell me if it goes away.
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

    We may need to use a differenet procedure to remove this. Some BHOs can be stubborn because, the logged in user account may not have permissions to delete it.


    You should be okay to shutdown and reboot your PC now. But just tell me now if you are having any malware problems at all.
     
    chaslang, Jun 12, 2006
    #4
  5. gmad

    gmad Private E-2

    Sorry 'bout that chaslang. I DID forget to delete the 02-BHO:(no name)- etc.

    I just ran HJT again right now to delete it, but I failed to close outta this web page. I ran HJT again and did not see it again. I saved the log over the top of the first one I did and included it as an attachment. (Sorry about incl the HJT log-There is a lot of info and I just did not remember.)

    I also did find the panda active scan reports as you stated and ran a new one today. It was clean. I have attached both the original and today's.

    I will uninstall Edwido after this post. (was I not supposed to install it?)

    Can't wait to here what options you have for me on the firewall and anti-virus realms.

    Thanks again, I think I am in far better shape now.
    GMAD
     

    Attached Files:

    gmad, Jun 12, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Those are not Panda logs. They are Ewido logs.

    It is only a free trial that expires in 15 days unless purchased. You have Windows Defender which is free. You do not want to have more than one real time spyware blocking tool like this installed. It uses too much of your systems resources and can cause conflicts and possibly make each tool less effective.

    MAKE SURE EWIDO is uninstalled. It was in your HJT log.

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 13, 2006
    #6
  7. gmad

    gmad Private E-2

    One last question b4 I do that....I am still getting the windowSecurity Center popup in the lower right corner. Seems to only pop up once though after a restart. Is that anything to worry about?

    Greg
     
    gmad, Jun 18, 2006
    #7
  8. gmad

    gmad Private E-2

    Ok, I actually went thru with the re-restore steps.

    Iwill check for your answer to my prior post question, but will also move ahead with protecting my PC. Thanks a BILLION for the help Chaslang!!!

    Greg
     
    gmad, Jun 18, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is it really Windows SecurityCenter or is it a fake spyware alert? What does it say?

    Have you completed all of the How to protect thread steps and are you still seeing the popup afterwards? You did not have a firewall or antivirus program installed to Windows Security Center is going to complain about that unless you disable it (not recommended).
     
    chaslang, Jun 18, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds