Issue with username.exe trojan

Hi there and welcome to the forums. We are currently reviewing your logs and will get back to you with a set of instructions as soon as we can.

Thanks for your patience during this time.
Kes13!

 

1. Please go to Add/Remove Programs and uninstall the following older versions of Java:

• J2SE Runtime Environment 5.0 Update 1
• Java Runtime Environment 1.5.0
• Java(TM) 6 Update 13
• Java(TM) 6 Update 3

2. Are you set up to use the below proxy? If not then please include it in our below list of fixables in HJT.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Not wise to place ANY site into your TZ so fix these lines at your option.

After clicking Fix exit HJT


3. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
C:\msprojecthotfix

File::
d:\documents and settings\matthew.dow\Local Settings\Application Data\mqqcioo.exe
D:\Documents and Settings\matthew.dow\matthew.dow.exe

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"matthew.dow"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

4. Now reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

6. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

FYI: You should consider upgrading to service pack 3: You are running:

• Platform: Windows XP SP2 (WinNT 5.01.2600)

 

Hi there

There has been an update to ComboFix meaning that you will have to re-run my script in order to get rid of the malware that still remains.

1. Delete the ComboFix.exe on your desktop and then download the new version:

ComboFix.exe

2. Refer back to my post #5 step #3 and re-run the script.

3. Then...

Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

4. Run the new MGTools.exe and attach the C:\mglogs.zip that it generates into your next reply, as well as the C:\combofix.txt from running CF.

Thanks
Kes13!

 

1. Can you tell me what you know of this file please:

2. Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

File::
D:\Documents and Settings\matthew.dow\matthew.dow.exe
D:\Documents and Settings\matthew.dow\Local Settings\temp\uYbodDa7.exe.part

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\matthew.dow]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

4. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Please rename this file C:\WINDOWS\system32can4d to system32can4d.old and tell me how your PC behaves for the next few days after doing this.