Infected with WMA.wimad, worm.P2P.nugg and others

Discussion in 'Malware Help (A Specialist Will Reply)' started by MrVader101, Apr 1, 2009.

  1. MrVader101

    MrVader101 Private E-2

    Hi there,

    One of our computers here in my workplace has been used to download files via P2P "lime wire" needless to say it had become heavily infected with malware.

    Originally through scans i have found WMA.wimad and varitations, Trojan. Generic 64486, trojan.generic.1426188, Proantispyware, worm.P2P.nugg and variations plus others which appeared in the first lot of scan i ran.

    Yeaterday to clean this computer up i ran the tools in the read and rum me first thread plus the bitedefender on line scan.

    however the computer remains infected. I have followed the Read and Rum me first thread closely today.

    I am fairly sure that the maleware is still present as i am unable to enable automatic updates on the computer which i think may be a symptom on vundo.

    Any way i have attached the relevent logs and would greatly appreciate any advice. Thanks for your time

    cheers
     

    Attached Files:

    MrVader101, Apr 1, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A company PC and it has no protection software installed????????

    First thing you need to do is run MSconfig and put the PC into normal startup mode as requested in step 1 of the READ & RUN ME.

    Then you must disable Spybot's Teatimer. See this: How to disable Spybot's TeaTimer

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 5, 2009
    #2
  3. MrVader101

    MrVader101 Private E-2

    Thank you for you help on this one.

    Yes i generally have e-trust itm installed on this machine. I have disconnected it from the network and uninstaled the antivirus as was having trouble stopping its protection services when running combo fix. But it will be straight back on again once this process is finished.

    I completed the steps suggested.

    I am now getting the windows message "windows can not open this file"
    .security. Pop up twice on start up.

    I did a quick windows search for .security which turned up in
    c:\Documents and settings\administrator.mhaacs.000\Start menu\programs\Startup
    c:\Documents and settings\all users\Start menu\programs\Startup
    The file being .security

    and i still seem to be unable to re enable windows automatic updates.

    Thanks again for your time. I have attached the logs you requested
    cheers
     

    Attached Files:

    MrVader101, Apr 5, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This may be something you will have to work in the Software Forum; however, let's finish with your cleaning first. We have more to do and there is also a suspcious file ( c:\windows\system32\drivers\Mgcsecp.sys ) I want to find out about.


    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 9, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds